Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1531078
MD5:	8e6dea93b1bb0a662bcdb18a16518db5
SHA1:	b238cda9515ee5133bf13f788db8e9e0f765a089
SHA256:	0344000995dbb14cfbb5630d7ea741a905dd4236b1a74d7d0f7bd013fb7533ca
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8E6DEA93B1BB0A662BCDB18A16518DB5)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["dissapoiznw.store", "spirittunek.store", "clearancek.site", "mobbipenju.store", "licendfilteo.site", "eaglepawnoy.store", "studennotediw.store", "bathdoomgaz.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:16.481227+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.7	58661	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:16.350047+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.7	55459	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:16.426123+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.7	54864	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:16.409526+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.7	50620	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:16.529522+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.7	53545	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:16.385085+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.7	51334	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:16.500920+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.7	61671	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:16.451223+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.7	63017	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-10T20:25:17.881326+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.7	49726	23.192.247.89	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com:443/profiles/76561199724331900	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7564.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.store", "spirittunek.store", "clearancek.site", "mobbipenju.store", "licendfilteo.site", "eaglepawnoy.store", "studennotediw.store", "bathdoomgaz.store"], "Build id": "4SD0y4--legendaryy"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.store
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.store
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.store
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.store
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.store
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.store
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.7:49726 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D050FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00CCD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00CCD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00D063B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00D099D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00D0695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00CCFCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00CD0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00D06094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00D04040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00CC1000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00CD6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00CFF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00CED1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00CD42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00CE2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00CE2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00CF23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00CF23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00CF23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00CF23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00CF23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00CF23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00CCA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00D064B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00D01440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00CDD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00CEC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00CEE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00CDB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00CC8590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00CE9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00D07520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00CD6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00CFB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00CEE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00D067EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00CED7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00D07710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D05700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00CE28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00CC49A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00CDD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00D03920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00CD1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00D04A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00CC5A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00CD1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00CD1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00CD3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00CF0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00CDDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00CDDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00D09B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00CECCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00CECCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00CECCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D09CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00D09CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00CEAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00CEAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00CEEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00CE7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00CFFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D08D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00CEFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00CEDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00CD1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00CC6EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00CD6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00CCBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00CEAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00CE7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00CE5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00CD4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00D05FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00D07FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D07FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00CDFFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00CC8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00CD6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00CE9F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00CFFF70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:58661 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:51334 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:61671 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:54864 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:63017 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:50620 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:53545 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:55459 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49726 -> 23.192.247.89:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: dissapoiznw.store
Source: Malware configuration extractor	URLs: spirittunek.store
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store

Source: Joe Sandbox View

IP Address: 23.192.247.89 23.192.247.89

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b2590b81f9dc0232a821c56a; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 10 Oct 2024 18:25:17 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hf
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aU
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/o
Source: file.exe, 00000000.00000002.1390596089.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1380138015.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900n
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.1390596089.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000002.1390596089.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: unknown

HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.7:49726 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD0228	0_2_00CD0228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0A0D0	0_2_00D0A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32067	0_2_00E32067
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D04040	0_2_00D04040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D91077	0_2_00D91077
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC1000	0_2_00CC1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD2030	0_2_00CD2030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D491E2	0_2_00D491E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC71F0	0_2_00CC71F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCE1A0	0_2_00CCE1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E91194	0_2_00E91194
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC5160	0_2_00CC5160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF82D0	0_2_00CF82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF12D0	0_2_00CF12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7C2CF	0_2_00E7C2CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC12F7	0_2_00CC12F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D3E20E	0_2_00D3E20E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF23E0	0_2_00CF23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCB3A0	0_2_00CCB3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC13A3	0_2_00CC13A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCA300	0_2_00CCA300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF64F0	0_2_00CF64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD4487	0_2_00CD4487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD049B	0_2_00CD049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEC470	0_2_00CEC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDC5F0	0_2_00CDC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC8590	0_2_00CC8590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC35B0	0_2_00CC35B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0C54D	0_2_00F0C54D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D086F0	0_2_00D086F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8F6A2	0_2_00E8F6A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D08652	0_2_00D08652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC164F	0_2_00CC164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFF620	0_2_00CFF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E94751	0_2_00E94751
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFB8C0	0_2_00CFB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFE8A0	0_2_00CFE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCA850	0_2_00CCA850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CF1860	0_2_00CF1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE098B	0_2_00CE098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D089A0	0_2_00D089A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D08A80	0_2_00D08A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D07AB0	0_2_00D07AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D04A40	0_2_00D04A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC7BF0	0_2_00CC7BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDDB6F	0_2_00CDDB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CECCD0	0_2_00CECCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D06CBF	0_2_00D06CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E92C6A	0_2_00E92C6A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6FC1E	0_2_00D6FC1E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D08C02	0_2_00D08C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E97D74	0_2_00E97D74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE8D62	0_2_00CE8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEFD10	0_2_00CEFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEDD29	0_2_00CEDD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8AEFE	0_2_00E8AEFE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD6EBF	0_2_00CD6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCBEB0	0_2_00CCBEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CEAE57	0_2_00CEAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D08E70	0_2_00D08E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD4E2A	0_2_00CD4E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D07FC0	0_2_00D07FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC8FD0	0_2_00CC8FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8BF6F	0_2_00E8BF6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CCAF10	0_2_00CCAF10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CDD300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00CCCAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9996067966171617
Source: file.exe	Static PE information: Section: bbtbrgws ZLIB complexity 0.9940453506097561

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF8220 CoCreateInstance,

0_2_00CF8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1870336 > 1048576

Source: file.exe

Static PE information: Raw size of bbtbrgws is bigger than: 0x100000 < 0x19f200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.cc0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;bbtbrgws:EW;mihcjhmz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;bbtbrgws:EW;mihcjhmz:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1d6f9b should be: 0x1cfccf

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: bbtbrgws
Source: file.exe	Static PE information: section name: mihcjhmz
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F2F0FE push ebx; mov dword ptr [esp], 40137733h	0_2_00F2F13C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F680E3 push 7CADFE7Ah; mov dword ptr [esp], edx	0_2_00F6813B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F270DE push 662AA887h; mov dword ptr [esp], ebp	0_2_00F270F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F360C9 push ebx; mov dword ptr [esp], 3FBFAF39h	0_2_00F360ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F360C9 push ebp; mov dword ptr [esp], esp	0_2_00F36137
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F630B3 push 717D7F7Bh; mov dword ptr [esp], edx	0_2_00F630FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F630B3 push edx; mov dword ptr [esp], edi	0_2_00F63108
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4E0B8 push esi; mov dword ptr [esp], eax	0_2_00F4E0C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push ebx; mov dword ptr [esp], 49D9B01Dh	0_2_00E0C102
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push ebx; mov dword ptr [esp], 5122F031h	0_2_00E0C12A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push esi; mov dword ptr [esp], ebx	0_2_00E0C1AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push eax; mov dword ptr [esp], 00000000h	0_2_00E0C1B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push 6C65F5DCh; mov dword ptr [esp], eax	0_2_00E0C1D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push edi; mov dword ptr [esp], ecx	0_2_00E0C1FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push 2B029525h; mov dword ptr [esp], edx	0_2_00E0C20F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push 27634C5Fh; mov dword ptr [esp], ebx	0_2_00E0C27E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E0C0B6 push edx; mov dword ptr [esp], esi	0_2_00E0C2B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F47095 push 31B5332Fh; mov dword ptr [esp], eax	0_2_00F4709D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F47095 push edx; mov dword ptr [esp], ecx	0_2_00F470BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32067 push esi; mov dword ptr [esp], edx	0_2_00E320A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32067 push esi; mov dword ptr [esp], ebp	0_2_00E320AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32067 push 3FF865CFh; mov dword ptr [esp], edi	0_2_00E320B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32067 push edi; mov dword ptr [esp], ecx	0_2_00E320C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32067 push eax; mov dword ptr [esp], ecx	0_2_00E32111
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E32067 push ecx; mov dword ptr [esp], 6EC3EF02h	0_2_00E3213C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9D063 push edi; mov dword ptr [esp], 1B5EF672h	0_2_00E9D097
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9D063 push 28106895h; mov dword ptr [esp], edx	0_2_00E9D0A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9D063 push edi; mov dword ptr [esp], 71553C00h	0_2_00E9D0DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D91077 push 4A88EC9Fh; mov dword ptr [esp], ecx	0_2_00D91094
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D91077 push esi; mov dword ptr [esp], edx	0_2_00D9114D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D91077 push 2A0E3500h; mov dword ptr [esp], edi	0_2_00D91205

Source: file.exe	Static PE information: section name: entropy: 7.985837268996957
Source: file.exe	Static PE information: section name: bbtbrgws entropy: 7.953638402214791

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8BA88 second address: E8BA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8BA91 second address: E8BA9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9D1A5 second address: E9D1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C46786h 0x00000009 pop esi 0x0000000a jnl 00007F7EE8C4677Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9D1CC second address: E9D1E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7EE8FC0A68h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FCFB second address: E9FD00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FE33 second address: E9FEBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jp 00007F7EE8FC0A6Dh 0x00000014 jmp 00007F7EE8FC0A67h 0x00000019 pushad 0x0000001a jmp 00007F7EE8FC0A5Eh 0x0000001f jnl 00007F7EE8FC0A56h 0x00000025 popad 0x00000026 popad 0x00000027 pop eax 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F7EE8FC0A58h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 mov dword ptr [ebp+122D2E8Dh], esi 0x00000048 lea ebx, dword ptr [ebp+1244FC27h] 0x0000004e mov ecx, eax 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F7EE8FC0A62h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FF81 second address: E9FF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FF8E second address: E9FF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA00ED second address: EA00F3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA00F3 second address: EA0144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 6FA8DB00h 0x00000011 clc 0x00000012 push 00000003h 0x00000014 call 00007F7EE8FC0A68h 0x00000019 pop edx 0x0000001a push 00000000h 0x0000001c movzx edx, ax 0x0000001f push 00000003h 0x00000021 mov edi, esi 0x00000023 call 00007F7EE8FC0A59h 0x00000028 push ecx 0x00000029 jmp 00007F7EE8FC0A5Ah 0x0000002e pop ecx 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA0144 second address: EA0149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC1908 second address: EC190D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D56A second address: E8D59A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46785h 0x00000007 jmp 00007F7EE8C46787h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D59A second address: E8D5A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D5A0 second address: E8D5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBFAFA second address: EBFB0A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F7EE8FC0A56h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBFB0A second address: EBFB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBFB0E second address: EBFB20 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007F7EE8FC0A56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBFB20 second address: EBFB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBFB26 second address: EBFB33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F7EE8FC0A56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBFC7F second address: EBFCB2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7EE8C46785h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 jo 00007F7EE8C46782h 0x0000001b ja 00007F7EE8C46776h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBFE1E second address: EBFE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC029A second address: EC02C7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7EE8C46776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7EE8C46785h 0x0000000f jns 00007F7EE8C46782h 0x00000015 jnp 00007F7EE8C46776h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC05B5 second address: EC05BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB58E5 second address: EB5902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7EE8C46788h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB5902 second address: EB5926 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A68h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jns 00007F7EE8FC0A56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB5926 second address: EB592A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB592A second address: EB5930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E927CA second address: E927E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7EE8C46781h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E927E1 second address: E927EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0F3C second address: EC0F63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7EE8C46789h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0F63 second address: EC0F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0F67 second address: EC0F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0F6D second address: EC0F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7EE8FC0A5Dh 0x0000000f jmp 00007F7EE8FC0A66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC127D second address: EC12AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F7EE8C46787h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC1796 second address: EC179C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC7A20 second address: EC7A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6466 second address: EC646A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC646A second address: EC6474 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7EE8C46776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6474 second address: EC64A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7EE8FC0A65h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6C32 second address: EC6C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC7DBD second address: EC7DD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7EE8FC0A62h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC9D1F second address: EC9D44 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7EE8C46776h 0x00000008 jmp 00007F7EE8C46780h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F7EE8C46776h 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ECDE1B second address: ECDE21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ECDF8D second address: ECDF97 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7EE8C4677Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ECFED6 second address: ECFEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ECFEDA second address: ECFF0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46780h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7EE8C4677Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7EE8C46781h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ECFF0D second address: ECFF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED1D86 second address: ED1D8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED1D8B second address: ED1D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED1D91 second address: ED1DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jl 00007F7EE8C46788h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED1DA4 second address: ED1DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED2180 second address: ED218D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED218D second address: ED2191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED29CC second address: ED29E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7EE8C46776h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F7EE8C46778h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED2DAD second address: ED2DD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007F7EE8FC0A77h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED2F66 second address: ED2F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED2F6C second address: ED2F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3498 second address: ED3503 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F7EE8C46778h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 xor dword ptr [ebp+122D191Bh], edx 0x00000027 push 00000000h 0x00000029 pushad 0x0000002a sub dword ptr [ebp+122D1C81h], edi 0x00000030 mov dx, 71D6h 0x00000034 popad 0x00000035 push 00000000h 0x00000037 sub esi, 6C8EAE00h 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f pushad 0x00000040 jmp 00007F7EE8C46787h 0x00000045 jno 00007F7EE8C46776h 0x0000004b popad 0x0000004c pop eax 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3D3A second address: ED3D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3D3E second address: ED3D79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46784h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F7EE8C4678Fh 0x00000013 jmp 00007F7EE8C46789h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3D79 second address: ED3D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4E59 second address: ED4E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F7EE8C46776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4E63 second address: ED4EE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jno 00007F7EE8FC0A58h 0x00000010 push edi 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop edi 0x00000014 popad 0x00000015 nop 0x00000016 mov edi, dword ptr [ebp+122D29CFh] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F7EE8FC0A58h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 jmp 00007F7EE8FC0A66h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F7EE8FC0A58h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 push eax 0x0000005a jbe 00007F7EE8FC0A77h 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED589D second address: ED58BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F7EE8C4677Bh 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 jnp 00007F7EE8C4677Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED58BC second address: ED5903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+1245016Ah], esi 0x0000000c push eax 0x0000000d jmp 00007F7EE8FC0A61h 0x00000012 pop edi 0x00000013 push 00000000h 0x00000015 mov si, bx 0x00000018 push 00000000h 0x0000001a call 00007F7EE8FC0A60h 0x0000001f mov dword ptr [ebp+1245D159h], ecx 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 jl 00007F7EE8FC0A5Ch 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED635C second address: ED6362 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6362 second address: ED6367 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6367 second address: ED6414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C46782h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007F7EE8C46788h 0x00000013 jbe 00007F7EE8C46782h 0x00000019 jmp 00007F7EE8C4677Ch 0x0000001e nop 0x0000001f jmp 00007F7EE8C46787h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F7EE8C46778h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 mov dword ptr [ebp+122D2D8Dh], ecx 0x00000046 movzx edi, di 0x00000049 jnl 00007F7EE8C46794h 0x0000004f push 00000000h 0x00000051 mov edi, eax 0x00000053 push eax 0x00000054 pushad 0x00000055 pushad 0x00000056 pushad 0x00000057 popad 0x00000058 pushad 0x00000059 popad 0x0000005a popad 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6F0D second address: ED6F12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6C69 second address: ED6C7B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7EE8C46776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6F12 second address: ED6F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6C7B second address: ED6C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6F20 second address: ED6F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6C81 second address: ED6C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7EE8C46776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6F3D second address: ED6F73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F7EE8FC0A56h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movsx edi, di 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D2C5Bh] 0x00000018 push 00000000h 0x0000001a cmc 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d push edx 0x0000001e jmp 00007F7EE8FC0A63h 0x00000023 pop edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 pop esi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED6C8B second address: ED6C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED7A66 second address: ED7A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED77E8 second address: ED77EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED7A6A second address: ED7AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, edx 0x0000000b push 00000000h 0x0000000d and esi, dword ptr [ebp+122D2A6Bh] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F7EE8FC0A58h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f xor edi, dword ptr [ebp+122D1915h] 0x00000035 push eax 0x00000036 pushad 0x00000037 je 00007F7EE8FC0A5Ch 0x0000003d ja 00007F7EE8FC0A56h 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED77EC second address: ED77F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED7AB7 second address: ED7ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED77F0 second address: ED77F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED77F9 second address: ED77FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDABAA second address: EDABAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDBDDE second address: EDBDFF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7EE8FC0A66h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDDB38 second address: EDDB3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDEB4C second address: EDEB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDEB53 second address: EDEB97 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ebx, 4C7F89B6h 0x0000000e push 00000000h 0x00000010 jmp 00007F7EE8C4677Dh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F7EE8C46778h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDEB97 second address: EDEBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7EE8FC0A56h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDFB3E second address: EDFB44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDFB44 second address: EDFB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE2BA0 second address: EE2BBB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7EE8C46776h 0x00000008 jmp 00007F7EE8C46781h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE0D79 second address: EE0D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE0D7E second address: EE0D84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE0D84 second address: EE0D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE0D88 second address: EE0D9A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7EE8C46776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE52E3 second address: EE5300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7EE8FC0A69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE5300 second address: EE539D instructions: 0x00000000 rdtsc 0x00000002 je 00007F7EE8C46776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push esi 0x00000010 jg 00007F7EE8C46778h 0x00000016 pop ebx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F7EE8C46778h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 jmp 00007F7EE8C46785h 0x00000038 add ebx, 6B7864F2h 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007F7EE8C46778h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 00000018h 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a xchg eax, esi 0x0000005b pushad 0x0000005c jng 00007F7EE8C4678Ah 0x00000062 jmp 00007F7EE8C46784h 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE539D second address: EE53A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE448E second address: EE4494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE53A1 second address: EE53A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE53A5 second address: EE53B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE53B2 second address: EE53B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE4494 second address: EE44F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bx, C9D3h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov ebx, dword ptr [ebp+122D29FFh] 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov ebx, dword ptr [ebp+122D1E57h] 0x00000029 mov eax, dword ptr [ebp+122D0029h] 0x0000002f js 00007F7EE8C4677Ah 0x00000035 push FFFFFFFFh 0x00000037 call 00007F7EE8C46789h 0x0000003c mov bl, A1h 0x0000003e pop ebx 0x0000003f nop 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jc 00007F7EE8C46776h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE5523 second address: EE5529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE5529 second address: EE552D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE73BD second address: EE741B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F7EE8FC0A58h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 clc 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007F7EE8FC0A58h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f push 00000000h 0x00000041 and edi, dword ptr [ebp+1245CE1Eh] 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F7EE8FC0A5Bh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE552D second address: EE5531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE84E1 second address: EE84EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE84EE second address: EE84F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE84F2 second address: EE84F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE76A2 second address: EE76A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE76A6 second address: EE76AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE9502 second address: EE9507 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE8613 second address: EE861A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE861A second address: EE861F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE86B9 second address: EE86D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7EE8FC0A62h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE86D7 second address: EE86DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE9678 second address: EE9691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE9691 second address: EE9745 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7EE8C46778h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D2DC5h], ecx 0x00000013 mov ebx, edi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F7EE8C46778h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 mov dword ptr [ebp+1244A2DDh], ebx 0x0000003c call 00007F7EE8C46784h 0x00000041 mov edi, 7A385762h 0x00000046 pop edi 0x00000047 mov dword ptr fs:[00000000h], esp 0x0000004e mov eax, dword ptr [ebp+122D1729h] 0x00000054 sub bh, FFFFFFE1h 0x00000057 mov edi, ebx 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push esi 0x0000005e call 00007F7EE8C46778h 0x00000063 pop esi 0x00000064 mov dword ptr [esp+04h], esi 0x00000068 add dword ptr [esp+04h], 00000016h 0x00000070 inc esi 0x00000071 push esi 0x00000072 ret 0x00000073 pop esi 0x00000074 ret 0x00000075 nop 0x00000076 pushad 0x00000077 jc 00007F7EE8C46787h 0x0000007d jmp 00007F7EE8C46781h 0x00000082 push eax 0x00000083 push edx 0x00000084 jo 00007F7EE8C46776h 0x0000008a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE9745 second address: EE9749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEA6EE second address: EEA701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7EE8C4677Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEB8A0 second address: EEB8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEB8A9 second address: EEB8AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF896 second address: EEF89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF17EC second address: EF17F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF17F0 second address: EF1815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F7EE8FC0A6Fh 0x0000000c jmp 00007F7EE8FC0A63h 0x00000011 jns 00007F7EE8FC0A56h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF1815 second address: EF1831 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7EE8C46787h 0x00000008 jmp 00007F7EE8C4677Fh 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0131F second address: F0132C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0132C second address: F01336 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7EE8C46776h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F01336 second address: F0134A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F7EE8FC0A5Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0134A second address: F01354 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7EE8C4677Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F01354 second address: F0135E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0135E second address: F01368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7EE8C46776h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F01A59 second address: F01A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7EE8FC0A56h 0x0000000a pop edi 0x0000000b jl 00007F7EE8FC0A58h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F01A6C second address: F01A84 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7EE8C46778h 0x00000008 jne 00007F7EE8C46782h 0x0000000e jc 00007F7EE8C46776h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F01BF4 second address: F01C04 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7EE8FC0A56h 0x00000008 jnl 00007F7EE8FC0A56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F02158 second address: F02170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7EE8C46776h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F7EE8C4677Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F02170 second address: F02175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F02175 second address: F02187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C4677Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F03CDB second address: F03D05 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7EE8FC0A5Ch 0x00000008 jmp 00007F7EE8FC0A64h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F085C7 second address: F085E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F7EE8C46776h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7EE8C4677Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F085E3 second address: F085FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F085FA second address: F08600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F09071 second address: F09077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F09077 second address: F0907D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0907D second address: F09081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F09081 second address: F0908A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8A007 second address: E8A00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8A00C second address: E8A022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F7EE8C46780h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F10873 second address: F10879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F10879 second address: F10899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7EE8C46788h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F10899 second address: F108A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F108A0 second address: F108BF instructions: 0x00000000 rdtsc 0x00000002 je 00007F7EE8C46782h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F7EE8C46780h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1108C second address: F11090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F11090 second address: F110A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7EE8C46776h 0x00000008 je 00007F7EE8C46776h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 ja 00007F7EE8C4677Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1168C second address: F116D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F7EE8FC0A66h 0x0000000f js 00007F7EE8FC0A69h 0x00000015 jmp 00007F7EE8FC0A5Dh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB6501 second address: EB6507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB6507 second address: EB650B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1048C second address: F104AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F7EE8C46776h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jg 00007F7EE8C46776h 0x00000012 popad 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 ja 00007F7EE8C46776h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F155E5 second address: F155FD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7EE8FC0A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F7EE8FC0A56h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED0CD3 second address: ED0D10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46784h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jne 00007F7EE8C46776h 0x00000012 pop esi 0x00000013 pushad 0x00000014 jmp 00007F7EE8C46788h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED0D74 second address: ED0D7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED0D7A second address: ED0D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED0D80 second address: ED0D84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED0EB3 second address: ED0EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED0FF7 second address: ED0FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED0FFB second address: ED0FFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED0FFF second address: ED1053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jno 00007F7EE8FC0A56h 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F7EE8FC0A67h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jmp 00007F7EE8FC0A5Eh 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7EE8FC0A67h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED127C second address: ED1295 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jbe 00007F7EE8C4677Ch 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED19F0 second address: ED19F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED19F4 second address: ED19F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED19F8 second address: EB6501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jno 00007F7EE8FC0A56h 0x0000000d pop ebx 0x0000000e popad 0x0000000f nop 0x00000010 jl 00007F7EE8FC0A64h 0x00000016 jmp 00007F7EE8FC0A5Eh 0x0000001b lea eax, dword ptr [ebp+12480471h] 0x00000021 sub dword ptr [ebp+122D32D5h], esi 0x00000027 nop 0x00000028 jmp 00007F7EE8FC0A5Ch 0x0000002d push eax 0x0000002e pushad 0x0000002f jmp 00007F7EE8FC0A5Eh 0x00000034 jmp 00007F7EE8FC0A68h 0x00000039 popad 0x0000003a nop 0x0000003b mov di, si 0x0000003e call dword ptr [ebp+122D2D27h] 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F7EE8FC0A66h 0x0000004b jnl 00007F7EE8FC0A5Ch 0x00000051 jne 00007F7EE8FC0A56h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F15B91 second address: F15BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7EE8C46782h 0x0000000b jns 00007F7EE8C46776h 0x00000011 jl 00007F7EE8C46776h 0x00000017 jng 00007F7EE8C46776h 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F15D30 second address: F15D58 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7EE8FC0A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7EE8FC0A68h 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F15D58 second address: F15D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F16000 second address: F16004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1613F second address: F16146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F16146 second address: F1614C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E3EC second address: F1E411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C46788h 0x00000009 popad 0x0000000a jl 00007F7EE8C46782h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E411 second address: F1E417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DE5A second address: F1DE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DFA6 second address: F1DFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7EE8FC0A56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DFB0 second address: F1DFC0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007F7EE8C46776h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1E0F6 second address: F1E111 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7EE8FC0A60h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F20487 second address: F2048D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2048D second address: F20491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B8D second address: F26B95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26E4D second address: F26E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26E51 second address: F26E6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C4677Dh 0x00000007 je 00007F7EE8C46776h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26E6E second address: F26E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27D6A second address: F27D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27D6E second address: F27D72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27D72 second address: F27D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7EE8C4677Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27D87 second address: F27DD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A5Ch 0x00000007 ja 00007F7EE8FC0A66h 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F7EE8FC0A5Eh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007F7EE8FC0A66h 0x0000001e jmp 00007F7EE8FC0A60h 0x00000023 jnl 00007F7EE8FC0A5Ch 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2C088 second address: F2C08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B32D second address: F2B359 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7EE8FC0A62h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F7EE8FC0A5Ch 0x00000012 push eax 0x00000013 je 00007F7EE8FC0A56h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B359 second address: F2B35E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B47D second address: F2B4B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7EE8FC0A56h 0x0000000a pop ebx 0x0000000b jns 00007F7EE8FC0A5Ch 0x00000011 jng 00007F7EE8FC0A56h 0x00000017 pop ebx 0x00000018 pushad 0x00000019 jmp 00007F7EE8FC0A5Fh 0x0000001e jp 00007F7EE8FC0A5Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B4B7 second address: F2B4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B4BB second address: F2B4BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B7A7 second address: F2B7BC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7EE8C4677Eh 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B7BC second address: F2B7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7EE8FC0A56h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B7CF second address: F2B7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BA9F second address: F2BAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BC09 second address: F2BC1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C4677Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2BC1C second address: F2BC30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F7EE8FC0A56h 0x0000000a jmp 00007F7EE8FC0A5Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F367AF second address: F367C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C46781h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F367C4 second address: F367DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F7EE8FC0A62h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F367DE second address: F367EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jc 00007F7EE8C46776h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34B69 second address: F34B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34B6D second address: F34B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34E59 second address: F34E72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jo 00007F7EE8FC0A56h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34E72 second address: F34E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34E7B second address: F34E7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34E7F second address: F34E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34E85 second address: F34E8F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7EE8FC0A5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F353AB second address: F353CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C46789h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F353CA second address: F353DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007F7EE8FC0A56h 0x0000000e popad 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F353DC second address: F353E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F353E2 second address: F3540F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 jp 00007F7EE8FC0A56h 0x0000000f jnp 00007F7EE8FC0A56h 0x00000015 pop esi 0x00000016 jnp 00007F7EE8FC0A67h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F356CD second address: F356D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3599C second address: F359AB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7EE8FC0A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35C43 second address: F35C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7EE8C46776h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35F4B second address: F35F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F364D6 second address: F36503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F7EE8C4677Ch 0x0000000b jg 00007F7EE8C46790h 0x00000011 jmp 00007F7EE8C46784h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FE24 second address: F3FE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FE3D second address: F3FE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F7EE8C4677Bh 0x0000000b jo 00007F7EE8C46776h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F587 second address: F3F590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F590 second address: F3F596 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F6E0 second address: F3F6E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F84F second address: F3F85D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C4677Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F85D second address: F3F86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F7EE8FC0A56h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F86D second address: F3F871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F871 second address: F3F877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3F877 second address: F3F88C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46780h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FB47 second address: F3FB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FB4B second address: F3FB63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46784h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46F68 second address: F46F6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46F6C second address: F46F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C46782h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f push esi 0x00000010 jno 00007F7EE8C46776h 0x00000016 pop esi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46F99 second address: F46FA3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7EE8FC0A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46FA3 second address: F46FAD instructions: 0x00000000 rdtsc 0x00000002 js 00007F7EE8C4677Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46FAD second address: F46FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47242 second address: F47282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46783h 0x00000007 jnc 00007F7EE8C4677Ah 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F7EE8C46789h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47282 second address: F47288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47288 second address: F47290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47290 second address: F472A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A5Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4754C second address: F4757E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7EE8C46787h 0x00000012 jmp 00007F7EE8C4677Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47707 second address: F4770B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4770B second address: F47729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C4677Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnl 00007F7EE8C46776h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47729 second address: F47731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47882 second address: F4789B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46785h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4789B second address: F478A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F7EE8FC0A56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F463FD second address: F46426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F7EE8C46787h 0x0000000d popad 0x0000000e push eax 0x0000000f js 00007F7EE8C4677Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F50528 second address: F50533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F7EE8FC0A56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F50533 second address: F5058C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F7EE8C4678Ah 0x00000010 push esi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jg 00007F7EE8C46776h 0x00000019 pop esi 0x0000001a jmp 00007F7EE8C46788h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F7EE8C46781h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5C8BD second address: F5C8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5C8C3 second address: F5C8D1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7EE8C46776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5C8D1 second address: F5C8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5C8D7 second address: F5C8DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5C8DB second address: F5C8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5C372 second address: F5C38A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46782h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5C38A second address: F5C399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F7EE8FC0A56h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F62CD9 second address: F62D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 pop esi 0x0000000a jl 00007F7EE8C46776h 0x00000010 pop eax 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 jmp 00007F7EE8C46787h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6FE68 second address: F6FE6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6FE6C second address: F6FE93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46788h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jc 00007F7EE8C46776h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6FE93 second address: F6FE98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6FE98 second address: F6FECF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46786h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e jbe 00007F7EE8C46776h 0x00000014 pop esi 0x00000015 jmp 00007F7EE8C46781h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6FCA5 second address: F6FCB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8FC0A5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6FCB5 second address: F6FCD0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7EE8C46776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F7EE8C46781h 0x00000010 jmp 00007F7EE8C4677Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6FCD0 second address: F6FCF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007F7EE8FC0A5Dh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F7EE8FC0A56h 0x00000018 je 00007F7EE8FC0A56h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F795C2 second address: F795E4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7EE8C4678Bh 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F795E4 second address: F795F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F795F0 second address: F79608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C46783h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77E51 second address: F77E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77E55 second address: F77E70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46787h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77E70 second address: F77E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F7EE8FC0A58h 0x0000000c jng 00007F7EE8FC0A80h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77E87 second address: F77E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F7EE8C46776h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F77E98 second address: F77EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7EE8FC0A56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78001 second address: F78005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78005 second address: F78011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78011 second address: F78015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78015 second address: F78025 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7EE8FC0A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78025 second address: F78044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8C4677Ah 0x00000009 pop edi 0x0000000a pushad 0x0000000b jc 00007F7EE8C46776h 0x00000011 jng 00007F7EE8C46776h 0x00000017 push eax 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78044 second address: F7804D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7818E second address: F78199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7EE8C46776h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7842D second address: F78431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78431 second address: F78437 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7DE29 second address: F7DE2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7DE2D second address: F7DE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F7EE8C46782h 0x0000000c jmp 00007F7EE8C4677Ch 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7EE8C4677Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7DE60 second address: F7DE6A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7EE8FC0A5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7DE6A second address: F7DE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7EE8C46782h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87A66 second address: F87A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87A6A second address: F87A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A38A second address: F9A38E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB2C8B second address: FB2C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jc 00007F7EE8C46776h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB34F9 second address: FB350B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB350B second address: FB3520 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7EE8C4677Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3520 second address: FB3526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB369E second address: FB36A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB36A8 second address: FB36AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3836 second address: FB3868 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7EE8C46776h 0x00000008 jmp 00007F7EE8C4677Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F7EE8C46787h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB3868 second address: FB386C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB5388 second address: FB538E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB538E second address: FB53BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7EE8FC0A68h 0x0000000b jbe 00007F7EE8FC0A58h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB8276 second address: FB828C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46782h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB80E8 second address: FB8105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnl 00007F7EE8FC0A62h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB8105 second address: FB810B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB810B second address: FB8122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB97D0 second address: FB97E7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7EE8C46776h 0x00000008 jmp 00007F7EE8C4677Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBAD2A second address: FBAD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBAD2E second address: FBAD32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBAD32 second address: FBAD3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC4EB second address: FBC509 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F7EE8C46776h 0x0000000e jmp 00007F7EE8C46780h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC509 second address: FBC52C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c js 00007F7EE8FC0A56h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEFDE second address: FBEFFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8C46786h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEFFB second address: FBF001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF001 second address: FBF010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF246 second address: FBF24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF24B second address: FBF250 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF2D8 second address: FBF2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7EE8FC0A65h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF2F2 second address: FBF35C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7EE8C4677Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F7EE8C4677Ch 0x00000012 pop edx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F7EE8C46778h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e jmp 00007F7EE8C46786h 0x00000033 push 00000004h 0x00000035 jp 00007F7EE8C4677Ch 0x0000003b push 8BD8A7DFh 0x00000040 push ecx 0x00000041 push ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF5CF second address: FBF5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF5D3 second address: FBF5D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC0F11 second address: FC0F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50D35 second address: 4E50D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50D3B second address: 4E50DC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7EE8FC0A5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [eax+00000FDCh] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F7EE8FC0A64h 0x00000018 and ch, 00000038h 0x0000001b jmp 00007F7EE8FC0A5Bh 0x00000020 popfd 0x00000021 push ecx 0x00000022 pushfd 0x00000023 jmp 00007F7EE8FC0A5Fh 0x00000028 add si, BAFEh 0x0000002d jmp 00007F7EE8FC0A69h 0x00000032 popfd 0x00000033 pop ecx 0x00000034 popad 0x00000035 test ecx, ecx 0x00000037 pushad 0x00000038 jmp 00007F7EE8FC0A5Dh 0x0000003d mov edi, esi 0x0000003f popad 0x00000040 jns 00007F7EE8FC0A8Ch 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50DC8 second address: 4E50DCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50DCE second address: 4E50DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 mov ch, D6h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7EE8FC0A5Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50DEA second address: 4E50DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50DF0 second address: 4E50E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax+00000860h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F7EE8FC0A5Fh 0x00000015 add esi, 174E37CEh 0x0000001b jmp 00007F7EE8FC0A69h 0x00000020 popfd 0x00000021 mov dh, ch 0x00000023 popad 0x00000024 test eax, eax 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F7EE8FC0A65h 0x0000002d sbb cx, B2B6h 0x00000032 jmp 00007F7EE8FC0A61h 0x00000037 popfd 0x00000038 popad 0x00000039 je 00007F7F59BA6952h 0x0000003f jmp 00007F7EE8FC0A5Eh 0x00000044 test byte ptr [eax+04h], 00000005h 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50E81 second address: 4E50E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50E85 second address: 4E50E89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E50E89 second address: 4E50E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EC7ABB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EEF8E9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D239E1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F567DF instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7760

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1390544445.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(&
Source: file.exe, 00000000.00000002.1390596089.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D05BB0 LdrInitializeThunk,

0_2_00D05BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: zProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://steamcommunity.com:443/profiles/76561199724331900	100%	URL Reputation	malware
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.192.247.89	true	true	unknown
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.34	true	false	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
eaglepawnoy.store	unknown	unknown	true	unknown
bathdoomgaz.store	unknown	unknown	true	unknown
spirittunek.store	unknown	unknown	true	unknown
licendfilteo.site	unknown	unknown	true	unknown
studennotediw.store	unknown	unknown	true	unknown
mobbipenju.store	unknown	unknown	true	unknown
clearancek.site	unknown	unknown	true	unknown
dissapoiznw.store	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bathdoomgaz.store	true		unknown
studennotediw.store	true		unknown
clearancek.site	true		unknown
dissapoiznw.store	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
spirittunek.store	true		unknown
licendfilteo.site	true		unknown
eaglepawnoy.store	true		unknown
mobbipenju.store	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://player.vimeo.com	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000002.1390596089.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hf	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/o	file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900n	file.exe, 00000000.00000003.1380138015.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com:443/profiles/76561199724331900	file.exe, 00000000.00000002.1390596089.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aU	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sketchfab.com	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380138015.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1390596089.0000000000AA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.1380097359.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000003.1380138015.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.1380097359.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.192.247.89	steamcommunity.com	United States		16625	AKAMAI-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531078
Start date and time:	2024-10-10 20:24:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:25:15	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.192.247.89	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	carrier_ratecon.exe	Get hash	malicious	LummaC	Browse
	6JA2YPtbeB.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	Set-up.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Solara.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
s-part-0032.t-0009.t-msedge.net	https://soloist.ai/grcewalm	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://mb3.io/y6jt3ofc	Get hash	malicious	Unknown	Browse	13.107.246.60
	vmsg_0101024.htm	Get hash	malicious	Unknown	Browse	13.107.246.60
	Play_Now-(Sonaemc)MOPT.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://clicktime.symantec.com/15tpJCqdM9QTMPCbrFFYy?h=klzqFfVRykrA0KxCmyOSMtGNk2cnn93amKCU2afEZ8c=&u=https://www.tiktok.com/link/v2?aid%3D1988%26lang%3Den%26scene%3Dbio_url%26target%3Dhttps://www.google.ht/url?q%3Dhttps://google%25E3%2580%2582com/amp/s/cli.re/kBNkWr%23a2FyZW4ubWNjcm9ob25AdXJlbmNvLmNvbQ%3D%3D%252F%26opi%3D256371986142%26usg%3DlxfGUQNysmkDx%26source%3Dgmail%26ust%3D2908128326238375%26usg%3DAO2mBxLVnqpOjng75rOWFwZ2mBxLVnqpOqR75	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://clickproxy.retailrocket.net/?url=https://veritasbd.net//cgibin/bin/philipp.ettle/cGhpbGlwcC5ldHRsZUBid3QtcGhhcm1hLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://pearl-contol.powerappsportals.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	quote 030214839A - Toron Alim.exe	Get hash	malicious	FormBook	Browse	13.107.246.60
	https://onlinefeature.blob.core.windows.net/plus/online.html?jd6123	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://www.google.es/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Foilproductionpower.com%2Fddd%2Ff3E2tG5ASlq4OLZ8xJKHkkFY/TExQQG5vdm96eW1lcy5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	PO01282Speyside.pdf	Get hash	malicious	HtmlDropper	Browse	217.20.57.39
	http://email.mx02.email-max.com/c/eJw8zrFy8iAAAOCnge33EEjAgcE_LVFrvcb0Wu3iQQDDBaLGxIt9-p4dOn_LZ0Q1m6HKQiumDHPKKCMM1kI7rozj1BnmEj5DjjuiqCOGpJozXkEvkjSdpoQiQFEc0XRio_LhX1TjpDpFGETd92dA5gBLgOWptcG3jTcPBFj2AEuaFV_LN7Tf7-7_E7QaLx3Khxw1K71E-e6pxgnA8naZl8-fi_O2zV77fN583DZDuZZZua1d-b3JYlduxvXw0haq6oti8d55GeyoOt_CeD9Ee72qoz148_eFnVDa2OCDqidKm9PQaEDR8dH_rd8E_gkAAP__7g5YOw	Get hash	malicious	Phisher	Browse	217.20.57.18
	https://mctcon.net/index.html	Get hash	malicious	HTMLPhisher	Browse	217.20.57.18
	https://evtokxibasvuruhizmetleriniz.jumpingcrab.com/	Get hash	malicious	Unknown	Browse	217.20.57.40
	original.eml	Get hash	malicious	HtmlDropper	Browse	84.201.211.21
	file.exe	Get hash	malicious	LummaC	Browse	84.201.210.22
	https://ipfs.io/ipfs/QmNRP5R9QkxB8MVgk2kWzrmB6GoTVL3gcLheGnJuUDPaXv?filename=forme.html#jstubblefield@securustechnologies.com	Get hash	malicious	HTMLPhisher	Browse	217.20.57.18
	20fUAMt5dL.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	217.20.57.18
	https://Vv.ndlevesio.com/vrbU/	Get hash	malicious	Unknown	Browse	217.20.57.18
	PFW1cgN8EK.exe	Get hash	malicious	LummaC	Browse	217.20.57.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	original (1).eml	Get hash	malicious	Unknown	Browse	2.19.126.151
	brayton HR Bulletin_270852_3BU4-ZSJO2U-JMY3.pdf	Get hash	malicious	Unknown	Browse	23.203.104.175
	vEOTtk6FeG.elf	Get hash	malicious	Mirai	Browse	184.50.185.53
	RFNnJGB7wy.elf	Get hash	malicious	Mirai	Browse	96.26.27.22
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Fw_ Complete with Docusign_ J929272_SOW Extension_002_09-OCT-24_201415.pdf.eml	Get hash	malicious	Unknown	Browse	2.19.126.140
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	2NkFwDDoDy.elf	Get hash	malicious	Mirai	Browse	104.73.138.82
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	O1cd60GrHb.exe	Get hash	malicious	RHADAMANTHYS	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Set-up.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Set-up.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	Solara.exe	Get hash	malicious	LummaC	Browse	23.192.247.89

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.947486849312721
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'870'336 bytes
MD5:	8e6dea93b1bb0a662bcdb18a16518db5
SHA1:	b238cda9515ee5133bf13f788db8e9e0f765a089
SHA256:	0344000995dbb14cfbb5630d7ea741a905dd4236b1a74d7d0f7bd013fb7533ca
SHA512:	f774d9684990bb7c0447bc3c98aa5beadb6a10dc67b67d6fe22eb1577ef7a0cd116e72c035c57227ebcbc2f8b45fe2ea0dbf7ad89180cb5bfbd975dda1a85ac4
SSDEEP:	49152:S4RjkHZibhYS7EBt/WYseUew0IWoW75NoaGHcFesE8:S4RAH2hYS7EBFWY3xw0IWjNo3csv
TLSH:	B88533371E57B1E3CE55E07B2F3149290721D36706648BB29E14F9322922DE7C1ABB8D
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@...........................K......o....@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ad000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F7EE944A36Ah
punpckhbw mm3, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F7EE944C365h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*4], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0200000Ah
or al, byte ptr [eax]
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	70720de9cf02bdcfe753bfaee86148bc	False	0.9996067966171617	data	7.985837268996957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2ac000	0x200	e7c9784ef929ae98f1e2891450b97398	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bbtbrgws	0x30c000	0x1a0000	0x19f200	158cef6968aaff7f67daafa38be6a105	False	0.9940453506097561	data	7.953638402214791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mihcjhmz	0x4ac000	0x1000	0x400	46fce8d9780ce4ce89da78491f3d773b	False	0.8271484375	data	6.383653763591579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ad000	0x3000	0x2200	84379d667d00137e0b9a40a1b50fb366	False	0.031479779411764705	DOS executable (COM)	0.27815636077879713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-10T20:25:16.350047+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.7	55459	1.1.1.1	53	UDP
2024-10-10T20:25:16.385085+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.7	51334	1.1.1.1	53	UDP
2024-10-10T20:25:16.409526+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.7	50620	1.1.1.1	53	UDP
2024-10-10T20:25:16.426123+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.7	54864	1.1.1.1	53	UDP
2024-10-10T20:25:16.451223+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.7	63017	1.1.1.1	53	UDP
2024-10-10T20:25:16.481227+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.7	58661	1.1.1.1	53	UDP
2024-10-10T20:25:16.500920+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.7	61671	1.1.1.1	53	UDP
2024-10-10T20:25:16.529522+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.7	53545	1.1.1.1	53	UDP
2024-10-10T20:25:17.881326+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49726	23.192.247.89	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 20:25:16.621350050 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:16.621402979 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:16.621467113 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:16.624532938 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:16.624555111 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.409271955 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.409476042 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.412570953 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.412580013 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.413069010 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.454611063 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.462884903 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.507400990 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.881470919 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.881550074 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.881553888 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.881581068 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.881599903 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.881613016 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.881638050 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.881640911 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.881665945 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.881695032 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.881705046 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.881719112 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.923408031 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.958771944 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.958789110 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.958823919 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.958848953 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.958897114 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.958904982 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.958945990 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.961868048 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.961955070 CEST	443	49726	23.192.247.89	192.168.2.7
Oct 10, 2024 20:25:17.962028027 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.962832928 CEST	49726	443	192.168.2.7	23.192.247.89
Oct 10, 2024 20:25:17.962846994 CEST	443	49726	23.192.247.89	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 20:25:16.350047112 CEST	55459	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.381160975 CEST	53	55459	1.1.1.1	192.168.2.7
Oct 10, 2024 20:25:16.385085106 CEST	51334	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.406966925 CEST	53	51334	1.1.1.1	192.168.2.7
Oct 10, 2024 20:25:16.409526110 CEST	50620	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.423970938 CEST	53	50620	1.1.1.1	192.168.2.7
Oct 10, 2024 20:25:16.426122904 CEST	54864	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.448786974 CEST	53	54864	1.1.1.1	192.168.2.7
Oct 10, 2024 20:25:16.451222897 CEST	63017	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.477300882 CEST	53	63017	1.1.1.1	192.168.2.7
Oct 10, 2024 20:25:16.481226921 CEST	58661	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.498013020 CEST	53	58661	1.1.1.1	192.168.2.7
Oct 10, 2024 20:25:16.500920057 CEST	61671	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.526504040 CEST	53	61671	1.1.1.1	192.168.2.7
Oct 10, 2024 20:25:16.529521942 CEST	53545	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.561572075 CEST	53	53545	1.1.1.1	192.168.2.7
Oct 10, 2024 20:25:16.567193031 CEST	52974	53	192.168.2.7	1.1.1.1
Oct 10, 2024 20:25:16.615740061 CEST	53	52974	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 10, 2024 20:25:16.350047112 CEST	192.168.2.7	1.1.1.1	0x79f1	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.385085106 CEST	192.168.2.7	1.1.1.1	0x667f	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.409526110 CEST	192.168.2.7	1.1.1.1	0x1995	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.426122904 CEST	192.168.2.7	1.1.1.1	0xfbc9	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.451222897 CEST	192.168.2.7	1.1.1.1	0xc022	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.481226921 CEST	192.168.2.7	1.1.1.1	0x18b3	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.500920057 CEST	192.168.2.7	1.1.1.1	0x4412	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.529521942 CEST	192.168.2.7	1.1.1.1	0x110e	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.567193031 CEST	192.168.2.7	1.1.1.1	0xe2e5	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 10, 2024 20:25:11.209667921 CEST	1.1.1.1	192.168.2.7	0x963a	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 20:25:11.209667921 CEST	1.1.1.1	192.168.2.7	0x963a	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.381160975 CEST	1.1.1.1	192.168.2.7	0x79f1	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.406966925 CEST	1.1.1.1	192.168.2.7	0x667f	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.423970938 CEST	1.1.1.1	192.168.2.7	0x1995	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.448786974 CEST	1.1.1.1	192.168.2.7	0xfbc9	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.477300882 CEST	1.1.1.1	192.168.2.7	0xc022	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.498013020 CEST	1.1.1.1	192.168.2.7	0x18b3	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.526504040 CEST	1.1.1.1	192.168.2.7	0x4412	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.561572075 CEST	1.1.1.1	192.168.2.7	0x110e	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:16.615740061 CEST	1.1.1.1	192.168.2.7	0xe2e5	No error (0)	steamcommunity.com		23.192.247.89	A (IP address)	IN (0x0001)	false
Oct 10, 2024 20:25:26.168070078 CEST	1.1.1.1	192.168.2.7	0xf61	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 10, 2024 20:25:26.168070078 CEST	1.1.1.1	192.168.2.7	0xf61	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49726	23.192.247.89	443	7564	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-10 18:25:17 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-10 18:25:17 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 10 Oct 2024 18:25:17 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=b2590b81f9dc0232a821c56a; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-10 18:25:17 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-10 18:25:17 UTC	10062	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa
2024-10-10 18:25:17 UTC	913	IN	Data Raw: 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0d 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 70 72 69 76 61 63 79 5f 61 67 72 65 65 6d 65 6e 74 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 26 6e 62 73 70 3b 20 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 Data Ascii: t="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/privacy_agreement/" target="_blank">Privacy Policy</a>  \|  <a href="https://store.steampowered.c

Target ID:	0
Start time:	14:25:13
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xcc0000
File size:	1'870'336 bytes
MD5 hash:	8E6DEA93B1BB0A662BCDB18A16518DB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	59.6%
Total number of Nodes:	52
Total number of Limit Nodes:	6

Executed Functions

Function 00D050FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00D05182

Strings

<I$), xrefs: 00D05198
<I$), xrefs: 00D052E3
@^, xrefs: 00D05120

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: 549ba4d5ea97cd20cb384a3200febf4ef64953bcba455cc50e2f4249cec5dd0e
Instruction ID: c5ab3abe72e7d7c6c6e859b1ee5869909591add9f67ba40db25655ecf8fcc36e
Opcode Fuzzy Hash: 549ba4d5ea97cd20cb384a3200febf4ef64953bcba455cc50e2f4249cec5dd0e
Instruction Fuzzy Hash: 95219F355083849FC300DF68E88176AB7E4AB6A300F69882CE5C5D7391DA75DA15CF66

Function 00CCFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VY^_, xrefs: 00CCFDFF
t, xrefs: 00CCFCBE
V, xrefs: 00CCFEDC
J|BJ, xrefs: 00CD000D

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: b8b5e5f26518496c20d59323f952269430e58bba6144d80d02577137e42cdfbf
Instruction ID: a6d3b116c87e7371e7a86ad00d94f51afff8850fbe10b71c2e40c22a0e57eaf4
Opcode Fuzzy Hash: b8b5e5f26518496c20d59323f952269430e58bba6144d80d02577137e42cdfbf
Instruction Fuzzy Hash: 16D168745083809BD311DF58D490B5FBBE2AB92744F28881DF5D98B352C336DE4AEB92

Function 00CCD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00CCD2F1

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b80da379410bf85763740ff9e0bdf20e9c9db37f1a566b95476894f3829ce645
Instruction ID: 10623aebd2bf527be964b85aaff7d088a2279cf8fc25c875757a67dd5c9f4c14
Opcode Fuzzy Hash: b80da379410bf85763740ff9e0bdf20e9c9db37f1a566b95476894f3829ce645
Instruction Fuzzy Hash: 6241337040D380ABD701AB68D684E2EFBF5AF92745F188C2CE5C597252C33AD8159B67

Function 00D05BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00D0973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00D05BDE

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00D0695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00D069C5

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 074f0b4bb46794409e2da97b633e7132e1ac86672909c893755392a5acea8953
Instruction ID: 08ab1658ce058aa7d144382f05a5ebdf8b117f4cbafe74bfa9e346eec7f93552
Opcode Fuzzy Hash: 074f0b4bb46794409e2da97b633e7132e1ac86672909c893755392a5acea8953
Instruction Fuzzy Hash: 4E3198B0A083019FD718EF18D89072BB7F2EF84344F08881CE5CA972A1E738D914CB66

Function 00CD049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa4d597bd8a8e79ba74697acbadd156ea1ab31b3031a2f2b7678b344624cb18
Instruction ID: b2668ce3c9976ff6f5a07e74319e313ad9f4479a9d25993c59ad0b8152263591
Opcode Fuzzy Hash: 9aa4d597bd8a8e79ba74697acbadd156ea1ab31b3031a2f2b7678b344624cb18
Instruction Fuzzy Hash: 99915975200B00DFD724CF25E894B16B7F6FF89310B218A6DE956CBBA1DB71A815CB60

Function 00CD0228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86f48b9c12066645424e620d1fc445a71061361ba095dde1ee16a36d1553e43
Instruction ID: ecfdc2b632b594ae1d15f923385edcd5203d88366855ec0a93734a16119df353
Opcode Fuzzy Hash: a86f48b9c12066645424e620d1fc445a71061361ba095dde1ee16a36d1553e43
Instruction Fuzzy Hash: CD716975200700DFD724CF25E894B17B7B6FF89311F208969E99ACBB62CB71A815CB60

Function 00D099D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1ecb8a8df762886f77b1c81f1f8976dcb8f702152811701e4e9b7a5b7497bc
Instruction ID: 70acd4d2a5de891668ad745f8a714514d305588400c119127acf1f58717bf257
Opcode Fuzzy Hash: 6a1ecb8a8df762886f77b1c81f1f8976dcb8f702152811701e4e9b7a5b7497bc
Instruction Fuzzy Hash: F7416D34208300ABD714DA15E8A1B2BF7E6EB85724F58882CF5CA972D2D735E811CB72

Function 00D063B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f3afce850f2fa22c6b24207c114e16b360bdceb2ed071102d7c3711d234e248
Instruction ID: c1e5438beeea29399f949cf96c1be5d1bbcdef38ec51a022957d1e72d9dbb8d7
Opcode Fuzzy Hash: 7f3afce850f2fa22c6b24207c114e16b360bdceb2ed071102d7c3711d234e248
Instruction Fuzzy Hash: 7631C370649301BADA24DB04DD82F2BB7A5EB81B11F68850CF1859A2D5D770E821CB72

Function 00CD0EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749eddec644d5a1e9b430020a77b77e6ef5069dd40840921b4ae7d3cb7173dfc
Instruction ID: 993b8f484924e087265fbcb4f55ed8dc229d732804cc095db0a0fdfbc52e72a9
Opcode Fuzzy Hash: 749eddec644d5a1e9b430020a77b77e6ef5069dd40840921b4ae7d3cb7173dfc
Instruction Fuzzy Hash: A9211AB490022A9FDB15CF94CC90BBEBBB1FF4A304F244859E515BB392C735A911CB64

Function 00D03220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00D032A6

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9f69e5ea860fdfbff11b6249baaaaa15cca6d1fa5a2b8f606fa6d57f5492ce7e
Instruction ID: 3427a75ecc938d203cea6e1ea2d43767599173b6af43b0bdb3433dc54df25216
Opcode Fuzzy Hash: 9f69e5ea860fdfbff11b6249baaaaa15cca6d1fa5a2b8f606fa6d57f5492ce7e
Instruction Fuzzy Hash: EF016D3450D340ABC701EF18E845A1EBBE8EF4A700F05881CE5C98B362D735ED60CBA6

Function 00D03202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00D03208

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 672e78e22353364f8b8d2f379f7784838de51ae167f9e4aa7721d9fa854af864
Instruction ID: fa8ad18ab6aec87cdac2190f9f393a24e7af4fac900f2d09502a03dccb66c78b
Opcode Fuzzy Hash: 672e78e22353364f8b8d2f379f7784838de51ae167f9e4aa7721d9fa854af864
Instruction Fuzzy Hash: 3DB012300401007FDA041B00EC0AF003511EB00605F900050A101441F1D6655865C564

Non-executed Functions

Function 00CDDB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

AR, xrefs: 00CDDD10
lkji, xrefs: 00CDE73E
<=:;, xrefs: 00CDE930
@ONM, xrefs: 00CDE6DB
%*+(, xrefs: 00CDDE37, 00CDDE46
89>?, xrefs: 00CDE9F6
WP, xrefs: 00CDDCEF
`Y^_, xrefs: 00CDE99E
QNOL, xrefs: 00CDE775
<=2, xrefs: 00CDEA01
DCBA, xrefs: 00CDE887, 00CDE896
LKJI, xrefs: 00CDE6E6
`onm, xrefs: 00CDE733
89&', xrefs: 00CDE93B
mjkh, xrefs: 00CDE7D8
tuJK, xrefs: 00CDE967
tsrq, xrefs: 00CDE6FC
xgfe, xrefs: 00CDE71D
D, xrefs: 00CDE846
()./, xrefs: 00CDE9CA
|, xrefs: 00CDECB1
:WUE, xrefs: 00CDF6B7, 00CDF6C6
dcba, xrefs: 00CDE728
T, xrefs: 00CDF157

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: 161ef686d6e804a84560721795835aef62d1a08ed293d1380b0e464d14b3fb72
Instruction ID: 6bd33512a24c203704b6115cff354fa9fd6cddb4c8996d56501a9841f55f5a59
Opcode Fuzzy Hash: 161ef686d6e804a84560721795835aef62d1a08ed293d1380b0e464d14b3fb72
Instruction Fuzzy Hash: 8EF288B05083819BD770DF14C884BABBBE6BFD5304F14482EE5D98B391EB719985CB92

Function 00CF23E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

mlc@, xrefs: 00CF275C
|}&C, xrefs: 00CF2F21
`tii, xrefs: 00CF2693
3<, xrefs: 00CF32D6
fedc, xrefs: 00CF2782
aenQ, xrefs: 00CF276A
{l`~, xrefs: 00CF268C
%*+(, xrefs: 00CF40EF
f@~!, xrefs: 00CF25FF
:, xrefs: 00CF32DD
Cx, xrefs: 00CF453D
ggxz, xrefs: 00CF2685

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: c7f563b26c4299747e38baf931bdf985d7b89e30753a12f68710b1218126e0f4
Instruction ID: 600a5a658fc482fb81301ae39abc86d6ce3537a86711179ac7fd8295c9cedf47
Opcode Fuzzy Hash: c7f563b26c4299747e38baf931bdf985d7b89e30753a12f68710b1218126e0f4
Instruction Fuzzy Hash: 2533CC70104B818BD7658F38C590773BBE1BF16304F58899DE5EA8BB92C735E906CB62

Function 00CE9F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

Gt, xrefs: 00CE9FF8
kW, xrefs: 00CEA380
CG, xrefs: 00CEAA32
WQ, xrefs: 00CEA62B
=], xrefs: 00CEA36A
%e6g, xrefs: 00CEA152
]{, xrefs: 00CEA1E7, 00CEA1F3
WH, xrefs: 00CEAA1C
sm, xrefs: 00CEA830
(a*c, xrefs: 00CEA147
_Y, xrefs: 00CEA641
/), xrefs: 00CEA66D
hi, xrefs: 00CEAB9D
?m,o, xrefs: 00CEA13C
JG, xrefs: 00CEAA27
S], xrefs: 00CEA636
N[, xrefs: 00CEA375

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 3c1aabbb280ed45f15d50ae4b058a0ee45d7cff6f707e2bd208149101a28ce48
Instruction ID: 1e5c825c075e3bf11f10a9dd3e21500bb29db94b578c31d77eef5fbbf1c1aadb
Opcode Fuzzy Hash: 3c1aabbb280ed45f15d50ae4b058a0ee45d7cff6f707e2bd208149101a28ce48
Instruction Fuzzy Hash: A552B6B844D385CAE270CF26D581B8EBAF1BB92740F608A1DE1ED9B255DB708145CF93

Function 00CE9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

;IJK, xrefs: 00CE983E
8;, xrefs: 00CE9B13
B?Q9, xrefs: 00CE9B0B
z=Q?, xrefs: 00CE9826
G+X5, xrefs: 00CE9AF3
,A&C, xrefs: 00CE982E
2A"_, xrefs: 00CE9980
T#a-, xrefs: 00CE9AE3
O+f), xrefs: 00CE9634, 00CE963D
G'M!, xrefs: 00CE9ADB
pq, xrefs: 00CE99E0
X/R), xrefs: 00CE9AEB
L3Y=, xrefs: 00CE9B03
B7U1, xrefs: 00CE9AFB
!E4G, xrefs: 00CE9836
?M0K, xrefs: 00CE9968

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 50cc63768e2e99503c8b917e28cf2f157029b2b64bb72c6a62780f950c3acd6a
Instruction ID: 630c5bcbedefb69b04155245e0abdee00b4bed6df78ba11380dcc3ba16ea71b6
Opcode Fuzzy Hash: 50cc63768e2e99503c8b917e28cf2f157029b2b64bb72c6a62780f950c3acd6a
Instruction Fuzzy Hash: FBF12CB0508380ABD310DF16D881A2BBBF4FB86B48F144D1CF4D99B252D374DA49DBA6

Function 00E91194 Relevance: 16.6, Strings: 12, Instructions: 1595COMMON

Download Yara Rule

Strings

4ds:, xrefs: 00E92028
Iyc^, xrefs: 00E92215
RcJ|, xrefs: 00E9122D
?|j, xrefs: 00E91448
_J<, xrefs: 00E9171C
l,lj, xrefs: 00E91BF0
&`o, xrefs: 00E91FBC
U|~, xrefs: 00E91A74
g\p, xrefs: 00E91B6A
}yXA, xrefs: 00E919A6
o{v, xrefs: 00E9204D
#P$., xrefs: 00E91AAC

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: #P$.$&`o$4ds:$?|j$Iyc^$RcJ|$_J<$g\p$l,lj$}yXA$U|~$o{v
API String ID: 0-4284529978
Opcode ID: 2a60e3156a226403ec508f85dec1f02703dfa216571070ef5e0a8ee51fe4d1ff
Instruction ID: ac1ddad00af5f725130518f81541ad0c332beafb0f17bd12454a57f99a879da6
Opcode Fuzzy Hash: 2a60e3156a226403ec508f85dec1f02703dfa216571070ef5e0a8ee51fe4d1ff
Instruction Fuzzy Hash: 22B206F36086009FE704AE29EC8567AFBE5EF94320F1A893DEAC4C7744E63558458693

Function 00CEDD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

=]+_, xrefs: 00CEE276
)IgK, xrefs: 00CEE261
%*+(, xrefs: 00CEE143
upH}, xrefs: 00CEDE8A, 00CEE798, 00CEDF4A
hX]N, xrefs: 00CEDDC7
-M2O, xrefs: 00CEE25A
{E, xrefs: 00CEE323
n\+H, xrefs: 00CEDDC0
Y9N;, xrefs: 00CEE245
,Q?S, xrefs: 00CEE26F
<Y.[, xrefs: 00CEE27D

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: df05eb17110420057144daad8f29a17a2a52fcf78d526d0cae094a04ed3c1ed1
Instruction ID: 530b7dee2ce31a26bd8780fde6f261a30fe31b8f4e97875c96b1063db0df2313
Opcode Fuzzy Hash: df05eb17110420057144daad8f29a17a2a52fcf78d526d0cae094a04ed3c1ed1
Instruction Fuzzy Hash: D1922475E00245DFDB14CF69D8817AEBBB2FF49310F298168E516AB391D735AD02CBA0

Function 00CE098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

cah`, xrefs: 00CE107E
&> &, xrefs: 00CE0F89
gce/, xrefs: 00CE1073
%*+(, xrefs: 00CE0A77, 00CE0A86
qrqp, xrefs: 00CE1089
9.5^, xrefs: 00CE0F9F
,#15, xrefs: 00CE0F94
{, xrefs: 00CE1502

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: f6b19322f73bd44b1207fa6d635dea7522febb68814175b81f7d68832c5a4364
Instruction ID: 28ec248e8638a9ee1564ddb43667d1c60b4db5df3548924e0bd12f708dff443a
Opcode Fuzzy Hash: f6b19322f73bd44b1207fa6d635dea7522febb68814175b81f7d68832c5a4364
Instruction Fuzzy Hash: BD62BAB16083818BD330CF15D895BAFBBE1FF96314F18492DE49A8B681D7758981CB93

Function 00CC1000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 00CC157D, 00CC15EB
@, xrefs: 00CC2C40
gfff, xrefs: 00CC2297
0123456789abcdefxp, xrefs: 00CC1587, 00CC15F8
-, xrefs: 00CC21ED
gfff, xrefs: 00CC22E1
gfff, xrefs: 00CC2226

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: f1c058b0f9e1afd95de415a2cf04574b7c8628652d1e2263e36810463f4faa4f
Instruction ID: 2c721591d982f01078b31afffe60119c4926255a79fa3f24c3e4709b6ca68862
Opcode Fuzzy Hash: f1c058b0f9e1afd95de415a2cf04574b7c8628652d1e2263e36810463f4faa4f
Instruction Fuzzy Hash: C1D2F6716083518FD718CE29C494B6ABBE2AFD5314F18C62DE8A9C7392D734DE45CB82

Function 00E92C6A Relevance: 10.4, Strings: 7, Instructions: 1663COMMON

Download Yara Rule

Strings

%7w;, xrefs: 00E93CD9
Us]], xrefs: 00E93C85
Jd~}, xrefs: 00E93B08
z5df, xrefs: 00E93548
9}, xrefs: 00E92E91
b0o, xrefs: 00E94063
~Ow, xrefs: 00E94036

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %7w;$Jd~}$Us]]$b0o$z5df$~Ow$9}
API String ID: 0-2467793293
Opcode ID: 33be011e52270e6b8947c32b7195795c9a691845ab4c148e863d601b3e39e1bd
Instruction ID: 4a847f6eea5effe7cb320fcf8d60039456418d9e66858fc488e94c1f85f97297
Opcode Fuzzy Hash: 33be011e52270e6b8947c32b7195795c9a691845ab4c148e863d601b3e39e1bd
Instruction Fuzzy Hash: 9EB2E5F360C6049FE3046E29EC8567AFBE9EFD4720F16893DE6C4C3744EA3598058696

Function 00CC12F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

i, xrefs: 00CC28EA
0, xrefs: 00CC243E
@, xrefs: 00CC3531
0, xrefs: 00CC1E88
0, xrefs: 00CC1DC1

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: 239a7aa260cab9b7cebff2aa51024ff26911025e167aae6c9c511f6cbc6c7431
Instruction ID: 788ffb0cc8820b49e071f81f5fb1906fea070bb50429070c9d2079efaff745a5
Opcode Fuzzy Hash: 239a7aa260cab9b7cebff2aa51024ff26911025e167aae6c9c511f6cbc6c7431
Instruction Fuzzy Hash: 4762B37160C3818FD319CF29C494B6ABBE1AFD5304F188E6DE8E987291D774DA45CB82

Function 00CC164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 00CC164F
gfff, xrefs: 00CC1F57
gfff, xrefs: 00CC1F3C
0123456789abcdefxp, xrefs: 00CC1659
+, xrefs: 00CC1573

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 4e69229529b07ff16273c43771f941c56213f320ec9a4fd09fef7a241be08b85
Instruction ID: d5ce5dead94045db70bb699be27b551ce3fb3018d68558c9f0a0b20834aab21a
Opcode Fuzzy Hash: 4e69229529b07ff16273c43771f941c56213f320ec9a4fd09fef7a241be08b85
Instruction Fuzzy Hash: 9EF1A13160C3818FC719CE29C49476AFBE2AFD9304F188A6DE8D987352D774DA45CB92

Function 00CC13A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

-, xrefs: 00CC1F23
0123456789ABCDEFXP, xrefs: 00CC13A3
gfff, xrefs: 00CC1F57
gfff, xrefs: 00CC1F3C
0123456789abcdefxp, xrefs: 00CC13AD

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 29bd48afb9a7a920d8eb1315a7c8a0f544cc9b9f725851fe28000c0589e503e6
Instruction ID: be5f64156b89fc0666c7a4dc40384696d6e35706539da704ddab662e3664b7a7
Opcode Fuzzy Hash: 29bd48afb9a7a920d8eb1315a7c8a0f544cc9b9f725851fe28000c0589e503e6
Instruction Fuzzy Hash: 27D18F3160C7818FC719CE29C49476AFBE2AFD9304F08CA6DE8D987356D634DA49CB52

Function 00CEFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

uvw, xrefs: 00CEFE95
NA_I, xrefs: 00CF036D
m1s3, xrefs: 00CEFEC3, 00CEFECB
:, xrefs: 00CF0087

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 37cadc67c5e24f5c6796e1cb6e17b0098db0b5d71f96b99d1be05b82821c5fb9
Instruction ID: d79c1025b95b42139eb1fb618b241356d3cc9b56df800bc7ab82df5e4468cd1a
Opcode Fuzzy Hash: 37cadc67c5e24f5c6796e1cb6e17b0098db0b5d71f96b99d1be05b82821c5fb9
Instruction Fuzzy Hash: 413299B4508384DFD311DF29D881B2ABBE5AF89704F24891CF6D58B2A2D735D906CB62

Function 00CD3BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

p, xrefs: 00CD3C80
ss, xrefs: 00CD3C79
%*+(, xrefs: 00CD3EC4
;z, xrefs: 00CD3C87

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 4c84142b90d1e81fdd4827e9ab80fb59ae75c5966641a7778bd0804dea7e561b
Instruction ID: 8e1e6069ab3612c41040f9b6d1a6cd83996d7606bf0570c9c425768b336ec3ae
Opcode Fuzzy Hash: 4c84142b90d1e81fdd4827e9ab80fb59ae75c5966641a7778bd0804dea7e561b
Instruction Fuzzy Hash: E1024BB4810B00EFD760DF25D986756BFB5FB01300F50895DE9AA9B795D330A819CBA2

Function 00E97D74 Relevance: 5.4, Strings: 3, Instructions: 1660COMMON

Download Yara Rule

Strings

Rzo, xrefs: 00E98D96
.~, xrefs: 00E988A6
CD_, xrefs: 00E98CCB

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: CD_$Rzo$.~
API String ID: 0-70364
Opcode ID: 45fcf14cb3e8653043e444b30f1830c608c76bd52a0f07495eac9942d889bdf2
Instruction ID: 21e97cd6d013468465243224dfc0138301f30198edbd5fa58f662ac322662654
Opcode Fuzzy Hash: 45fcf14cb3e8653043e444b30f1830c608c76bd52a0f07495eac9942d889bdf2
Instruction Fuzzy Hash: ABB228F3A0C204AFE304AE69EC8577AF7E9EF94320F16493DEAC4C7744E67558018696

Function 00CE2260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

sj, xrefs: 00CE2327
hu, xrefs: 00CE232F
a|, xrefs: 00CE2317
lc, xrefs: 00CE2507

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 059f9fc7cb499be7b8d8ed75f87f1f501cee966f6424c8f46d70d801e46be0a8
Instruction ID: 7408af13d25656a342250d0672e10fdc3a7e8eb332bf1b696874ddd886863fc7
Opcode Fuzzy Hash: 059f9fc7cb499be7b8d8ed75f87f1f501cee966f6424c8f46d70d801e46be0a8
Instruction Fuzzy Hash: 12A19E704083818BC720DF19C891B2BB7F8FF95754F589A0CE8D59B291E375DA41CB96

Function 00E8F6A2 Relevance: 5.4, Strings: 3, Instructions: 1630COMMON

Download Yara Rule

Strings

[3{, xrefs: 00E90010
sdg, xrefs: 00E8F914
sdg, xrefs: 00E8F8E7

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: [3{$sdg$sdg
API String ID: 0-2968471821
Opcode ID: 84df220e9593c032ac13b2bef39e2759cafa7557fe79b3a3985ed1f1d44604ee
Instruction ID: 3075059b7b9547ddc256ab7e90941e2d9e2a9f8e89dff2a644c27645c11cedd5
Opcode Fuzzy Hash: 84df220e9593c032ac13b2bef39e2759cafa7557fe79b3a3985ed1f1d44604ee
Instruction Fuzzy Hash: A5B21CF3608204AFE304AE2DEC8567ABBE9EFD4660F1A853DE6C4C7744E63558058693

Function 00E94751 Relevance: 5.3, Strings: 3, Instructions: 1592COMMON

Download Yara Rule

Strings

hD}, xrefs: 00E95279
+MN, xrefs: 00E953F8
Y1/w, xrefs: 00E95684

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: +MN$Y1/w$hD}
API String ID: 0-1148679552
Opcode ID: 72af8df55fd3ec2d6d29451300c7b6e27c20c9f0082151f7f1ccbc6748384f15
Instruction ID: 8b71118b1a0f872d7f4aa29d2ce0712170a8e776d2222b02ed9f06c4ac513976
Opcode Fuzzy Hash: 72af8df55fd3ec2d6d29451300c7b6e27c20c9f0082151f7f1ccbc6748384f15
Instruction Fuzzy Hash: 41B207F390C604AFE304AE29EC8567AFBE5EF94720F16893DE6C487344E63598418797

Function 00CED7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

KV, xrefs: 00CED97D
CV, xrefs: 00CED98B
#', xrefs: 00CED9EA
T>, xrefs: 00CED984

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: 4e3b4cbfa5cf5f2085c84ad14b75a1e773709bc512da719eebbc1ad809afc406
Instruction ID: eddaa5a327b95556ac95ed80c7b1a3e96b89d3577f687bf32f22327d65d485c0
Opcode Fuzzy Hash: 4e3b4cbfa5cf5f2085c84ad14b75a1e773709bc512da719eebbc1ad809afc406
Instruction Fuzzy Hash: 338146B48017499BDB20DF96D68516EBFB1FF12300F60560CE486AB655C330AA56CFE3

Function 00CEAC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

4c2a, xrefs: 00CEACA9
lk, xrefs: 00CEACBC
(g6e, xrefs: 00CEACA1
,{*y, xrefs: 00CEAD07, 00CEAD13

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: c72236bea8391ad3a32e15ebc128da1b85673e77f4b2f3ccc5f0ae4a71952261
Instruction ID: 5e028be26aafaa156b4c5b0851a7b9e5107866c1fae9224c8bb01e7e0e298f63
Opcode Fuzzy Hash: c72236bea8391ad3a32e15ebc128da1b85673e77f4b2f3ccc5f0ae4a71952261
Instruction Fuzzy Hash: A94184B4808381CED7209F20D800BABB7F0FF86305F54995DE6D897261DB31DA45CBA6

Function 00CEC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CEC9E4, 00CEC9ED
~/i!, xrefs: 00CEC537
%*+(, xrefs: 00CEC8C3, 00CEC8CB

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: 95959c01a5f584653d24a5ce4fa585704a0b30764897aa858416264327d23a32
Instruction ID: a43ecc136e6f1d0a9660d5b4461162e9b627154c21086d67c6c58952b2fecb7b
Opcode Fuzzy Hash: 95959c01a5f584653d24a5ce4fa585704a0b30764897aa858416264327d23a32
Instruction Fuzzy Hash: C5E19AB5508384EFE3209F25D881B5BBBF5FB85340F44882CE69987291DB36D816CB62

Function 00CC8590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 00CC860C
), xrefs: 00CC8616
IEND, xrefs: 00CC89F0

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: b6e08b59b6bd5e8c64cb58f7e3d68a02174dd7c124e4422d593592c122d02242
Instruction ID: c41d252ee8504a9b22f4fef767d68165dca0303c555c2121701336923ce0beb9
Opcode Fuzzy Hash: b6e08b59b6bd5e8c64cb58f7e3d68a02174dd7c124e4422d593592c122d02242
Instruction Fuzzy Hash: A3E1D1B1A087019FE310CF29C885B2BBBE0BB94314F14492DF59997381DB75E919DBD2

Function 00E8BF6F Relevance: 4.1, Strings: 2, Instructions: 1629COMMON

Download Yara Rule

Strings

Vh[, xrefs: 00E8C019
ax7}, xrefs: 00E8C2FC

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: Vh[$ax7}
API String ID: 0-2810459029
Opcode ID: 2c9485b57317798491ba34640b74df15f2913606c7d7fe75be13489b1ac9fc7c
Instruction ID: db06fa28567568757f87017c3d31b41bdde6275db3bf2f7e352e9a7b22c438b7
Opcode Fuzzy Hash: 2c9485b57317798491ba34640b74df15f2913606c7d7fe75be13489b1ac9fc7c
Instruction Fuzzy Hash: 59B207F3A0C2009FE3046E2DEC8577ABBE5EF94720F1A493DEAC4C7744EA7558058696

Function 00E8AEFE Relevance: 3.2, Strings: 2, Instructions: 737COMMON

Download Yara Rule

Strings

qsf, xrefs: 00E8B01B
BvV, xrefs: 00E8B1C7

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: BvV$qsf
API String ID: 0-913537563
Opcode ID: e6ee253791a30cfca0deba6f98555666c87f6e8679b420bac653928c292c2f21
Instruction ID: 5ef38631295c66aba6bd05d1f5f40ca225be821a6453db17c64c1f460f8aafab
Opcode Fuzzy Hash: e6ee253791a30cfca0deba6f98555666c87f6e8679b420bac653928c292c2f21
Instruction Fuzzy Hash: 543217F350C3049FE3047F29EC8566AFBE9EF94720F1A4A2DEAC493744E63598118697

Function 00D04040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D040A4, 00D040AD
f, xrefs: 00D0420C

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: 676beb5dcf2898c80ad17e5fb258a3ef1526f2b8002a0497bed9e1b0a3a722ce
Instruction ID: 1fe222a481a98ccaf32c4fb8b5684bf23b7b5ee60d8674ff8968ad9e51f1dca4
Opcode Fuzzy Hash: 676beb5dcf2898c80ad17e5fb258a3ef1526f2b8002a0497bed9e1b0a3a722ce
Instruction Fuzzy Hash: 42129CB16083419FC714CF18D890B2BBBE5FBC9314F588A2CF69897291D775D845CBA2

Function 00CFF620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 00CFF7F5
hi, xrefs: 00CFF6E6

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: bc2a687bf5c7f0f65641f1c8145181afb47ed67a1cd16e2b3006b774307146d5
Instruction ID: c8c55466219cd184b5b5a44577469605e169e261f7c2e18c46d65bfd2bb7fb72
Opcode Fuzzy Hash: bc2a687bf5c7f0f65641f1c8145181afb47ed67a1cd16e2b3006b774307146d5
Instruction Fuzzy Hash: D4F18571618341EFE304CF25D891B6ABBF5EF86344F14892CF2958B2A1CB35D946CB22

Function 00CC35B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 00CC3607
NaN, xrefs: 00CC360E

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 8ca4f2a7f1b1ae72ddd9fef03306adc851f9a4c1dbd317e771ac3b98e87bfade
Instruction ID: 2f8dae5504bc9cff6245c2a81bab1fc5ed1eedd6ec3f81f2aab2b95c2aee2520
Opcode Fuzzy Hash: 8ca4f2a7f1b1ae72ddd9fef03306adc851f9a4c1dbd317e771ac3b98e87bfade
Instruction Fuzzy Hash: 71D1E771A083519BC704CF69D880B1EB7E1FBC8750F14C92DF9A997390E675DE059B82

Function 00CDFFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

BaBc, xrefs: 00CE0197
Ye[g, xrefs: 00CE00F6

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: 764d517ee471e3f302637eae440f6431e5b033c68fb16b63cbaf91db6400ba10
Instruction ID: 528ae1f63be59bb2323a939f00b84da061756f5ef90c46544f46505d1cfed64a
Opcode Fuzzy Hash: 764d517ee471e3f302637eae440f6431e5b033c68fb16b63cbaf91db6400ba10
Instruction Fuzzy Hash: C751AEB16083818BD731CF55C485BABB7F0FF96310F29491DE49A8B651E3B49A80CB97

Function 00CC5160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00CC54C8

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 1b37baab1967a3f2a3e45a460622d07931531946424b4d5f36cd1e83f6e74e70
Instruction ID: cb6c50db9ddfdaea219ac0b1c71b1d20ad371ce50ca2d0e01698b52c57b8771f
Opcode Fuzzy Hash: 1b37baab1967a3f2a3e45a460622d07931531946424b4d5f36cd1e83f6e74e70
Instruction Fuzzy Hash: 7D22F4B6A08B42CBE7158E19C940B26BBE2AFE0304F1D856DD8698B391E771FDC5C741

Function 00CF12D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00CF15D1

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: b119002d9e341240077e50a15751dbb26bc5e0f9e01c00066b44bbcd680a1d71
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 2CF14571A083498FC724CE25C490A3BBBE6AFC1350F1C856DEDAA87382D635DE059793

Function 00CEAE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CEB2D3, 00CEB2DB

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 862716af6da72bbe0be9fc880324321789455914b363798f932df63cf7983e41
Instruction ID: 5f23a556e7add2399c6095c89b4b50acab47ffdc22cd5ee8e4c14b1d7d7894a1
Opcode Fuzzy Hash: 862716af6da72bbe0be9fc880324321789455914b363798f932df63cf7983e41
Instruction Fuzzy Hash: 20E1B875508386DBC324DF2AC48056FB3E2FF98791F54891CE4D587260E730AE5ACB92

Function 00CD6EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CD6EF3

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: a6d455848c26028e588f4dbe202444cd787c0658c32491e4f9bbfea812e3d500
Instruction ID: 463f3171f549464f9b14f1b5b6f9de14866bd85c8b6b603c7cf8226e9413619a
Opcode Fuzzy Hash: a6d455848c26028e588f4dbe202444cd787c0658c32491e4f9bbfea812e3d500
Instruction Fuzzy Hash: A1F19DB5A00B01CFD724DF24D881A26B3F2FF88314B148A2ED59B87B91EB31E915DB50

Function 00CE7E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CE8263, 00CE826B

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: ba27cb3ce0815bc20b4149ca4217852923700d336da1c330666e0200a6eb6d35
Instruction ID: 64e00dd6be2129b2cdf42e9957f398bcde75e96e9712117462e1ff0b7c2421a9
Opcode Fuzzy Hash: ba27cb3ce0815bc20b4149ca4217852923700d336da1c330666e0200a6eb6d35
Instruction Fuzzy Hash: E1C1E171508340ABD710EB16C882A2FB7F5EF81754F48881CF8D99B291E735DD09DBA2

Function 00CE8D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CE9233, 00CE923B

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7d39c9f81d6ddd42b3b70a77c8f95b15fc4e733ddf31b00d6cd0fc08663d43f5
Instruction ID: 57034121c147957546838ffeda45517c6a55615846af0e1d7e968b794a4eddc2
Opcode Fuzzy Hash: 7d39c9f81d6ddd42b3b70a77c8f95b15fc4e733ddf31b00d6cd0fc08663d43f5
Instruction Fuzzy Hash: 26D1DF70618342EFD704EF65E88166ABBE5FF88300F09886CE886C7391DB75E941CB61

Function 00D07FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00D08167

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: a04b3833ede90978d66af9b826f040d31e363b921053abfb362cc2b43133dd24
Instruction ID: 0729d6bae3b17f954e815973fd8404dcd6a0b2e76e148fd6374f3924f3fc8f94
Opcode Fuzzy Hash: a04b3833ede90978d66af9b826f040d31e363b921053abfb362cc2b43133dd24
Instruction Fuzzy Hash: DDD1D6729083618FC715CE18989071EB6E2EB85718F19862CE8E9AB3C4CB71DC06D7E1

Function 00CECCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CECDC3, 00CECDCB

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 58caaffc4f1562031e30aadc5cb3f0ecc953ce73a9b4e95cdc2f2c504db1ee8f
Instruction ID: ded05c449ba7345f73ba7c5d4c13bf6820ea9c2cae1f9b150cc09a2b0c11bfdb
Opcode Fuzzy Hash: 58caaffc4f1562031e30aadc5cb3f0ecc953ce73a9b4e95cdc2f2c504db1ee8f
Instruction Fuzzy Hash: F6B101705083819BD714DF5AD881B3BBBE2EF85340F18482CE5D58B391E335EA56CBA2

Function 00CCA850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00CCA9C3

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: c9829a4fd412cc950d0b9444a2d70133a58cf63213475e9a68aa8aaa4902a3c9
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: 22B139701083859FD324CF58C894B1BBBE1AFA9708F448A2DF5D997342D671EA18CB57

Function 00CFFC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CFFCA4, 00CFFCAD

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: fbd93187d4259a3cf845a135da501faf997a6220d02d658d7c51426a7a7a6ef9
Instruction ID: 5b7111491cb87b0e39450fb087ac3decf088508b60753c1831701064a2219f91
Opcode Fuzzy Hash: fbd93187d4259a3cf845a135da501faf997a6220d02d658d7c51426a7a7a6ef9
Instruction Fuzzy Hash: 93819AB1608305EBD7109F69E885B2AB7F5EF89701F14882CF68887291DB35D916CB73

Function 00CDD457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CDD663, 00CDD66B

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 63d457db5491235a3ccfbaea9c6902993fb3886c8d3bc4b0557cda2494a7e578
Instruction ID: 98bc020826f11a5b2cdde847c9e4a5bde8a3dadc15579cfe81592161c646824c
Opcode Fuzzy Hash: 63d457db5491235a3ccfbaea9c6902993fb3886c8d3bc4b0557cda2494a7e578
Instruction Fuzzy Hash: C561C5B1904304EBD710AF18E882A6AB3B0FF95354F04492DFA8A87391E775D952C7A2

Function 00D04A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D04C33, 00D04C3B

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: ebeb98891b5ddad68a98cb20de055e92011b5d38b0f488ec65953b1b6575c2a4
Instruction ID: 66045e78c807a56dffb6d291883600717cae199fc76eb08afa2627057660db3a
Opcode Fuzzy Hash: ebeb98891b5ddad68a98cb20de055e92011b5d38b0f488ec65953b1b6575c2a4
Instruction Fuzzy Hash: BC61BDB16093019BE711DF29D880F2AB7E6EBC4314F18891CEAC9872D1D771EC51CBA6

Function 00D91077 Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

X#o, xrefs: 00D91182

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: X#o
API String ID: 0-453393042
Opcode ID: 8998af7b92ee7a9c0f4ccec32253aa7b1eb77c0b9f2dec59cafcedb2848e3aa2
Instruction ID: 803473dc87afa93f84b7a01546e2f4fad2d4350cf1352d98454f7051d539fff7
Opcode Fuzzy Hash: 8998af7b92ee7a9c0f4ccec32253aa7b1eb77c0b9f2dec59cafcedb2848e3aa2
Instruction Fuzzy Hash: 5951F4F3E085109BF30C6A39DC5577AB7D6EBD4320F2B463EDAC993784E93858018686

Function 00CCE1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00CCE333

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 5d9904029787cba55de05e439a5b31e2e76554c52dca0207aae46c9d2a63187e
Instruction ID: 9b167db3ff81d2c2fbcc94945322a52d520528a068b6405fa890439b93b4eb2f
Opcode Fuzzy Hash: 5d9904029787cba55de05e439a5b31e2e76554c52dca0207aae46c9d2a63187e
Instruction Fuzzy Hash: D4510433A196904BD328893D8C567A97A870BE3334B2DC76EE9B5CB3E5D55588018390

Function 00D03920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D039E3, 00D039EB

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: ebf7d78d62af0803d4483ae4aaceb0e6d6cb0b83e9611d733cd77136768e283c
Instruction ID: cdeaa5c43081a10df274e0f5714ddb274f293a24d0498afd931f95dbc1dc21a4
Opcode Fuzzy Hash: ebf7d78d62af0803d4483ae4aaceb0e6d6cb0b83e9611d733cd77136768e283c
Instruction Fuzzy Hash: 8B518E74609340EBCB24DF59E881B2ABBE9EF85744F18881CE4CA87291D771DE10CB72

Function 00E7C2CF Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

a{S}, xrefs: 00E7C449

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: a{S}
API String ID: 0-1163447261
Opcode ID: ade70b5ced26e1b002fa2888a9f0e9356486044e17a6f2e36ca2aaca85bea3b3
Instruction ID: 9c284d5ec10bfdc01148619edf0fc1b6fefe29091b9b8a7efea9da25e09ac1d8
Opcode Fuzzy Hash: ade70b5ced26e1b002fa2888a9f0e9356486044e17a6f2e36ca2aaca85bea3b3
Instruction Fuzzy Hash: C24129F3A082005FE708A93DDDC977ABBD6EBD4310F19463DDBC583784E93948158656

Function 00CD1BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00CD1C3E

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: ee25662767e4fb54312cf449b1abfcdf8b47fd576019ed7a1fcf0170f850d117
Instruction ID: 0579a53440021d13e7a54a5e393ddbc13c4d0a752b9b265be086f64dc3923230
Opcode Fuzzy Hash: ee25662767e4fb54312cf449b1abfcdf8b47fd576019ed7a1fcf0170f850d117
Instruction Fuzzy Hash: 984160B4018380ABC7149F64C894A2FBBF0BF86314F08890DFAD59B390D736CA05CB66

Function 00CFFF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D00033, 00D0003B

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 9e92b0df25664775d8a7e605297b25b98396c2c73152652b6805dd34d42980ac
Instruction ID: 8e6866cc27d304fb467e9ae3fe4b70bae6c2aa7f05648a9dd1ff14dcf26caeb7
Opcode Fuzzy Hash: 9e92b0df25664775d8a7e605297b25b98396c2c73152652b6805dd34d42980ac
Instruction Fuzzy Hash: 3E31D4B1A08305BBD610EA54DC81F2BBBE9EB85744F544828F98DD7292E632DC15C7B3

Function 00CEE40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 00CEE6A2

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 4991f38a7978ad315a09a4084eff58930694f84410c644ac1a39704dcae25138
Instruction ID: 0b2eaa80db18ff44772b6e5196ba33ee1de5e26ac5f16ea3a4ef67c2d0b17a4a
Opcode Fuzzy Hash: 4991f38a7978ad315a09a4084eff58930694f84410c644ac1a39704dcae25138
Instruction Fuzzy Hash: 6F31E6B5900345DFCB20DF96E8809AFBBB5FB0A345F14482CE556A7301D731AA05DFA2

Function 00CD6F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00CD703B

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: addfe29b528fd41202e0940006b90a3f9b28c8ded72fe61121bffb2b95bb33b9
Instruction ID: 6ee37a85e5b56938a3baffe4316431a2ba772a1a6ecfb151198393da17fd76b5
Opcode Fuzzy Hash: addfe29b528fd41202e0940006b90a3f9b28c8ded72fe61121bffb2b95bb33b9
Instruction Fuzzy Hash: 06415671205B04EBD7348B61D995B27B7F2FB49700F14891DE69A9BBA1E731F800CB20

Function 00CEE66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 00CEE6A2

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 20d920482c2ddc461f834dfd4306058f9b233d8e76a3f23ab17f57b489a317c5
Instruction ID: f2a63ee7aac0130a57c8ef70fa713198dc78103dbc5f0ed871b1ca35cfc44e23
Opcode Fuzzy Hash: 20d920482c2ddc461f834dfd4306058f9b233d8e76a3f23ab17f57b489a317c5
Instruction Fuzzy Hash: DC21E2B5900345DFC720CF96D880AAFBBB5BB0A740F14481CE566AB301C331AE02CFA2

Function 00D09CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00D09D30

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 4e70fe86d6fb4d78fa094449bbcce28421ad191e4d5af2e1cc7fbba2c04a9b3e
Instruction ID: dc8d3e26b11016f4bd004bef1324100898ea0771e4c5524ee932486598315692
Opcode Fuzzy Hash: 4e70fe86d6fb4d78fa094449bbcce28421ad191e4d5af2e1cc7fbba2c04a9b3e
Instruction Fuzzy Hash: 453134705093009BD714EF19D890B2BFBF9EB9A314F18892CE5C897292D375D905CBB6

Function 00CD4E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c91f700a95845f2cdb95194129f080db7cc525a532b4b34b0b6e3def3114e9
Instruction ID: 8c9b3b58a0a50f621067dfaba731240437f11e123c6e763d0832ee16c623b551
Opcode Fuzzy Hash: 99c91f700a95845f2cdb95194129f080db7cc525a532b4b34b0b6e3def3114e9
Instruction Fuzzy Hash: 446268B0500B408FD725CF24D890B27B7F6AF59700F54892ED5AA8BB52E735F949CBA0

Function 00CCBEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 669d7238e4510d4e3ae80903ce4d4863d3d6dadfa385d9c61f41bbb8467f4da5
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 0252F731A087118BC725DF18D4C07BAB3E1FFD5319F298A2DD9DA93290D734A952CB86

Function 00D08652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a14d939322f34998f317ca96d266a222979e20c9baeb4f078d3e9dc3c632e6
Instruction ID: e11f302583cdff7671c03493f585a0e31e0fd3ce6ea139c05b2ed264299f1df7
Opcode Fuzzy Hash: a2a14d939322f34998f317ca96d266a222979e20c9baeb4f078d3e9dc3c632e6
Instruction Fuzzy Hash: FD22CA35608341EFC704DF68E89066ABBE1FB89315F09886DE589C7391DB35D891CB62

Function 00D086F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4048fdfc4b964264205bd2c99851018b0a7c1b3a82ab26925fd9447f97e0aec9
Instruction ID: e94a66ec5840de217289fb8ddeea20dd24cb882ee74726d3a23fd42223ac369e
Opcode Fuzzy Hash: 4048fdfc4b964264205bd2c99851018b0a7c1b3a82ab26925fd9447f97e0aec9
Instruction Fuzzy Hash: BC229935608340EFC704DF68E89065AFBE1EB8A315F09896DE5C9C7392DB35D891CB62

Function 00CCB3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fc30e2a3f32df062a3c4b4388d2e468022be0f662a45077253792392e6a88d
Instruction ID: 212861bced22a20ab1387de66f2f4940b83794396d79d03ccbfd41de6a2232bb
Opcode Fuzzy Hash: 40fc30e2a3f32df062a3c4b4388d2e468022be0f662a45077253792392e6a88d
Instruction Fuzzy Hash: 6652E570908B848FE735CB64C086BA7BBE2AF95314F144C2EC5E706B82C779AD85CB55

Function 00CC71F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094ef557767ac4b7a0da025c7036271e94dd2f45b3d96675b9fb7b125cc4d23d
Instruction ID: 4840ca14f4517301104bb1d6ad86295ace2a40f9402d69325ca3ae10fb4a1595
Opcode Fuzzy Hash: 094ef557767ac4b7a0da025c7036271e94dd2f45b3d96675b9fb7b125cc4d23d
Instruction Fuzzy Hash: B7529E3150C3458BCB15CF29C090BAABBE1FF88314F198A6DE8A957392D775D989CF81

Function 00CC8FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22101b7df0ed00fc46bd98aa54f29fdb6d782814b71ba853396252a7ef6cbd5f
Instruction ID: df9ece58aeca7e8013897fb8b433c149aad70bb6fcac9fe260364175deb3ec68
Opcode Fuzzy Hash: 22101b7df0ed00fc46bd98aa54f29fdb6d782814b71ba853396252a7ef6cbd5f
Instruction Fuzzy Hash: 02425375608301DFD708CF28D894B6ABBE1FB88315F09886DE4998B3A1D735D985CF92

Function 00CC7BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47493300aead7936e2ef62934c0ad5d430f876d1cb43f5c6f6a52ded78c87d5
Instruction ID: 7fdc61705563fee0a47f0e9f8d72405084451ef9611c0ade3f85363efc5b782b
Opcode Fuzzy Hash: c47493300aead7936e2ef62934c0ad5d430f876d1cb43f5c6f6a52ded78c87d5
Instruction Fuzzy Hash: 9B32E071518B118FC368CE29C590A6ABBF2FF45710B644A2ED6A787E90D736B849CB10

Function 00D089A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6e75a998b90466e70295e091719ae76997c8fd500aea03c87c464316147f3b
Instruction ID: d7532437203cf4eeade01f7a47d3c3fed52b45ecf8034f58d9b8202326d0765c
Opcode Fuzzy Hash: 7b6e75a998b90466e70295e091719ae76997c8fd500aea03c87c464316147f3b
Instruction Fuzzy Hash: BB029935608341EFC704DF68E89065AFBE1EB8A305F09896DE4C9C73A2D735D851CBA6

Function 00D08A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992533b6bddbd7a6cf5f127b7e11c3dfada4c148a65869421055681940c7ad20
Instruction ID: 30ec0a3a86491dcf6f7f1fffe8ff02ecc0d433336be0bd3a4cee7f228bbc581e
Opcode Fuzzy Hash: 992533b6bddbd7a6cf5f127b7e11c3dfada4c148a65869421055681940c7ad20
Instruction Fuzzy Hash: ECF18735608340EFC704DF68E89061AFBE1EB8A305F09892DE4D9C7392D736D951CBA6

Function 00D08C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3f49236836fd81049641d63ed0a035aa0f5b63eb073a48b20faf05a84a640e
Instruction ID: ba0a5e6c124d15b34f242a7ed7d8341a56555ee88e3c400243a3ba97fdf0113d
Opcode Fuzzy Hash: 4e3f49236836fd81049641d63ed0a035aa0f5b63eb073a48b20faf05a84a640e
Instruction Fuzzy Hash: E1E1AE31608341DFC704DF28E89066AFBE1EB8A315F09896CE5D9C7392D736D951CBA2

Function 00CCA300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: df422c9b23c5c12e1e3d143047b07b4c17fb08f34120e6bac70cfb52f4709954
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: A8F1AC766087458FC724CF29C881B6BFBE2AFD8304F08882DE4D987751E639E945CB52

Function 00D08E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa77fa72580841e11cc2e0c396fe546638b8177b9996f41f02dbf2fd88259fa
Instruction ID: f8bd765599012260097b89db983a50f3ca0b43cd636c9d0ef1f4428f390f1a8d
Opcode Fuzzy Hash: daa77fa72580841e11cc2e0c396fe546638b8177b9996f41f02dbf2fd88259fa
Instruction Fuzzy Hash: 8CD18B3460C340EFD704DF28D89062AFBE5EB8A305F49896DE4D987392D736D851CB66

Function 00CD4487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9cf4e92414068bd6b48750aec51598d331ca323e9eb9eb6f9d53dfa2823d37
Instruction ID: fac25040b4cec44c7fcfd6d5fd1c3e67c0843c0b44c44613af481b0ea58239f7
Opcode Fuzzy Hash: 2e9cf4e92414068bd6b48750aec51598d331ca323e9eb9eb6f9d53dfa2823d37
Instruction Fuzzy Hash: C5E1EFB5501B008FD325CF28D992B97B7E1FF06704F04886DE5AAC7B52E735A854CB54

Function 00D06CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1e466fe176f6dc2593d9d0ee803c31a4b7208180846aa0f6ebcf23a9f4543c
Instruction ID: 6036088bf56405a4641b333186d441bed8692a0e06f22f94f95a7edd45c6b1e8
Opcode Fuzzy Hash: ab1e466fe176f6dc2593d9d0ee803c31a4b7208180846aa0f6ebcf23a9f4543c
Instruction Fuzzy Hash: E2D1F336618351DFC714CF38E8C065ABBE2AF89314F098A6CE495C7391DB34DA46CBA1

Function 00D07AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e866f28bb0e1e97806e3bd0e4c196730c6d651e463f2bc09a5cd6c07e7dfa5
Instruction ID: 7fee51fe8b91b832600047ad2f88ae973482eccd9eebd7278971bea25a9b0191
Opcode Fuzzy Hash: 98e866f28bb0e1e97806e3bd0e4c196730c6d651e463f2bc09a5cd6c07e7dfa5
Instruction Fuzzy Hash: 2CB1D272E083505BE314DA28CC45B6BB7E5EBC5314F08492CF99D9B3D2E635EC0587A2

Function 00CCAF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: a0646f24243763e3b0e486fa87b14c47e11479da8264e89ba009b718ef839cf6
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: FBC16AB2A087418FC370CF68DC96BABB7E1BF85318F08492DD1D9C6242E778A555CB46

Function 00CD6536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62bb06450267976c33def09f47c8b93a3d2786b6174fee9c314c85d2e3c6e08
Instruction ID: d289f25a21c3fabbffe873bdd27e671515bbf058c8e06d7d3a0a885cda90d5fb
Opcode Fuzzy Hash: a62bb06450267976c33def09f47c8b93a3d2786b6174fee9c314c85d2e3c6e08
Instruction Fuzzy Hash: E7B101B4600B408BD325CF24D991B27BBF1AF46704F14885DE9AA8BB92E735F805CB55

Function 00D07710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fcbd604a6216ee46342a060f91219fb21fc482841854aa5c0c85cd3d04b7ecb4
Instruction ID: 58dd9f152abe405ca047f69a0a89c2dd09bc37cad650cf77a5bc525d4e0e219c
Opcode Fuzzy Hash: fcbd604a6216ee46342a060f91219fb21fc482841854aa5c0c85cd3d04b7ecb4
Instruction Fuzzy Hash: 6A916E71A08341ABE720DA14D841BAFB7E5EB85354F58881CF5999B3D1E730E940CBB2

Function 00D0A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16335b5506ce01d957207a8183892ba0de97370ad1fd0706b204f8922a94bc84
Instruction ID: 0629bb75dbdd011e4766002a6c50584c343881ccabe1347e96e4817b5147881f
Opcode Fuzzy Hash: 16335b5506ce01d957207a8183892ba0de97370ad1fd0706b204f8922a94bc84
Instruction Fuzzy Hash: 61816C342087019BD724DF6CD880B2EB7F5EF99740F59892CE589CB291E731E851CBA2

Function 00CF64F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08afb82eeac0cf0b5d8f7df9ec66f52ef49d3e2894e9d03e2b92e4fb59e1d62
Instruction ID: 26459b2b96c7aaecc22304cd3ff930424bcf79ec54581fdc111e2b6bff02cb51
Opcode Fuzzy Hash: e08afb82eeac0cf0b5d8f7df9ec66f52ef49d3e2894e9d03e2b92e4fb59e1d62
Instruction Fuzzy Hash: 71711633B29A944BC3549D7D4C823A5BA930BD6334B3EC37AEAB4CB3E5D5294C064352

Function 00CE28E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed663b8bee1bea4473afe3272152d2f935c91a4d822aa51266b02adaa419643
Instruction ID: f385f0c58157144857459f747308f09e413bf0b3cf354f7d5ad65c45abb1b4b6
Opcode Fuzzy Hash: 9ed663b8bee1bea4473afe3272152d2f935c91a4d822aa51266b02adaa419643
Instruction Fuzzy Hash: 606185B54083809BD310AF1AD891B2ABBF4EFA6750F08891CF4D58B361E379C911DB66

Function 00CE7C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb7e54e0f3f83afbdcc97d1f1521166a4949975648eb2e082b1c2a129885343
Instruction ID: ae730abd1dffc1aeb527e539a79e40f409c1098369e86f1c34c1278a6396e15d
Opcode Fuzzy Hash: dcb7e54e0f3f83afbdcc97d1f1521166a4949975648eb2e082b1c2a129885343
Instruction Fuzzy Hash: C451E0B1608244ABDB209B26CC86F7733B8EF85364F144A58F98A8B390F375DE45C761

Function 00D491E2 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a79a7c81d0ced33a12f60efd1d954f4edbd677232b0e7f221f66e2e8ff3235a
Instruction ID: ef791344c813095a957a7e97bb3ec79980b7cc79e7db5f2a714062509fe93d14
Opcode Fuzzy Hash: 4a79a7c81d0ced33a12f60efd1d954f4edbd677232b0e7f221f66e2e8ff3235a
Instruction Fuzzy Hash: 476105F3E182145FE3049A3CEC8576AB7D9DB94320F1A863DEEC8D7784E979580086D6

Function 00CF1860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: ebde918d19f9fd6234760bfd7fb64831ac5a59855b263629dc0c91db9ae10270
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 3C61D331609349DBD794CE29C58033FBBE2ABC5350F6DC92DEA998B251D270DE41A743

Function 00CF82D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110732cc6648d94109f21ace3047ab99a2a7221222b1fcb97a93c57346b8893f
Instruction ID: 03416448e619a32dda2b6cd67797bb50da2f7e5ea7f9e096db1d36098a966979
Opcode Fuzzy Hash: 110732cc6648d94109f21ace3047ab99a2a7221222b1fcb97a93c57346b8893f
Instruction Fuzzy Hash: F6615723B1AA944BD354463E1C553BA6E831BD2330F3EC36ADAB58B3F4CD69480A4353

Function 00CD42FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318d52587ed96f2c7d061290252f8db342c654eb6ab54c5d1bb9eb15af453690
Instruction ID: 28216dbc922845eeac3469e25589a3726074430bc03faf0d282716fd3e7279dd
Opcode Fuzzy Hash: 318d52587ed96f2c7d061290252f8db342c654eb6ab54c5d1bb9eb15af453690
Instruction Fuzzy Hash: 0081D1B4810B00AFD360EF39D947757BEF4AB06201F504A2EE5EA97695E7306419CBE3

Function 00E32067 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10448cee704aad2ddf213731e0b32d8e0890067e49e8603af039b515d426f24f
Instruction ID: 04f03ac6d68d4fd66c726d0c068e92b01d21bad1733e527d399a3e2b88fb4867
Opcode Fuzzy Hash: 10448cee704aad2ddf213731e0b32d8e0890067e49e8603af039b515d426f24f
Instruction Fuzzy Hash: 0A5126B3A183289BD700BE2CEC497A7BBD5EF84761F26853DDAC487744E931680486D6

Function 00CFE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: 77cb3d607146b24c87b26965396932a5318e6de1b5847ffd550d9a8fc5682a44
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: C3516DB15087548FE314DF69D49436BBBE1BBC5318F044E2DE5E987390E379D6088B92

Function 00D6FC1E Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cefd3a8d4ce77bf01f7ee55c6f3e4b2ebe97f71c38f0a39d2f69c77fd01f5b5
Instruction ID: 2cc8a772d51887f135be9845ba466d6d2b93cfdd077e276db33d4108492acfbf
Opcode Fuzzy Hash: 5cefd3a8d4ce77bf01f7ee55c6f3e4b2ebe97f71c38f0a39d2f69c77fd01f5b5
Instruction Fuzzy Hash: 10513BF3A083089FE3406E79EC8472AB7D5EBD4720F27463DDAD483784E97558058693

Function 00D07520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43134180dbd948208f198f81a7991473547eaed9c6ac43e80bf251705e299ea
Instruction ID: a4c372e324995d2f4508d981652738eae19d7310189eca4957f717c6e25f2704
Opcode Fuzzy Hash: c43134180dbd948208f198f81a7991473547eaed9c6ac43e80bf251705e299ea
Instruction Fuzzy Hash: 2051E931A0C600ABC7159E18DC91B2EB7E6EBC5354F68862CE4D99B3D1D631EC11C7B1

Function 00F0C54D Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8c52eebff3159ab3cdc24fb7ecc9d95b6492f0914a73e36eda22c7f9f1e297
Instruction ID: 0f17201fcc400ce899c30661f6e50844df565f9008ba26a06cfbaf2b53d607dd
Opcode Fuzzy Hash: 1b8c52eebff3159ab3cdc24fb7ecc9d95b6492f0914a73e36eda22c7f9f1e297
Instruction Fuzzy Hash: EB5138B760C600DFE3146F29E99473ABBE4DB94310F21473EDBC687280E6364801BAD6

Function 00CC5A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad8b41d678eb1d1ce07225de36fa8ec0df22ffe41f6a19eb6328b01727c6f27
Instruction ID: d0db53d8d7c3886fecd30c14c1ecfe33110eba6018ea2bd9fbb946c1f98c2cdc
Opcode Fuzzy Hash: 2ad8b41d678eb1d1ce07225de36fa8ec0df22ffe41f6a19eb6328b01727c6f27
Instruction Fuzzy Hash: F951C3B5A047049FC714DF14C890E26BBA1FF89324F15466CF8AA8B352D631FD82CB92

Function 00CEEC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea11767b07023f865c9f8d72d161aebe07dcc66a34d2138bf0b4bffe85eeace
Instruction ID: 4b2c4896be6b61c22da521d6b45b2e60ef70f1dbb63aac87a2bb2bb469edf45b
Opcode Fuzzy Hash: 2ea11767b07023f865c9f8d72d161aebe07dcc66a34d2138bf0b4bffe85eeace
Instruction Fuzzy Hash: 7441D178900359DBDF20CF55DC91BADB7B0FF0A340F144548E955AB3A1EB38AA51CBA1

Function 00D09B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65d04c8e6bea2e5da6557e2fabc338d20bd5773beb790a8c2fb036bf89a9898
Instruction ID: 27b5b96093101553f0e4bd06e113a270d819df633f75399ed0daef0d5fb5c88c
Opcode Fuzzy Hash: b65d04c8e6bea2e5da6557e2fabc338d20bd5773beb790a8c2fb036bf89a9898
Instruction Fuzzy Hash: 8C419D74608300ABE710DB15E9A1B2BF7E6EB85710F18882CF58997292D375E811CB76

Function 00CD2030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efae169cce37d3a84a2b8a886582caeb041442c97273b812f6ffdde3c0e1915
Instruction ID: ee026010eb015454d5b70eb83bd7b8395941c36e692d35254712d91967a0153c
Opcode Fuzzy Hash: 2efae169cce37d3a84a2b8a886582caeb041442c97273b812f6ffdde3c0e1915
Instruction Fuzzy Hash: A141F632A083654FD35CCF2A849023ABBE2ABD5300F09C62FE5E6873D0DAB59945D791

Function 00D3E20E Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d7fb77ec787da3fab71aa4ab3f6e937cb45f940673d4c0dd4337acafc64edf
Instruction ID: 0da25065603488ca4aa55e6bfa6034ca6e25ef5c74cc5cf336419919ae36b1e5
Opcode Fuzzy Hash: 13d7fb77ec787da3fab71aa4ab3f6e937cb45f940673d4c0dd4337acafc64edf
Instruction Fuzzy Hash: 2B41C3F39086149FE304BE29DC4576AB7E5AF94320F1B4A3CDAC887740EA7999148687

Function 00CD1E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2881974c4beaaaa4bd07fcce977a0ece5bff0f19e96e5bacfa7308935e1477a
Instruction ID: 471646d7355872224267c86409a5a551e6afb1de67f2d6d6f8ac7ad943ddc2d6
Opcode Fuzzy Hash: a2881974c4beaaaa4bd07fcce977a0ece5bff0f19e96e5bacfa7308935e1477a
Instruction Fuzzy Hash: 2841007450C380ABD320AB58C884B1EFBF5FB96344F18491DFAC497392C376E8158B66

Function 00D08D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efef7ae49f5d611f47f62402248843998413d171ecbd1351153f0353496e858d
Instruction ID: a3757cce33a5353f74d090df6b57fa8394a361a933dbee3fb866d6747d92de0d
Opcode Fuzzy Hash: efef7ae49f5d611f47f62402248843998413d171ecbd1351153f0353496e858d
Instruction Fuzzy Hash: 0941CE316083508FD704DF68C49062EFBE6EF99300F098A2DD4D9D72A1DB74DD058BA6

Function 00CDD961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa91f90d6a6c4c88d08efe6bd187d558804133f2679277d81b58d6746e428b9a
Instruction ID: cbe5f869a70af7e72788fefc8ea883bf28b2f9dee928406343cfbe32a3b3a602
Opcode Fuzzy Hash: fa91f90d6a6c4c88d08efe6bd187d558804133f2679277d81b58d6746e428b9a
Instruction Fuzzy Hash: 6241DDB1A48381CBD3309F10C885BABB7B0FF96360F04495DE59A8B792EB754941DB63

Function 00CFF030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 0730b7b1dc82374a1a5c23e608b56789ab67f35e6bd3aa5729cbe0f94bf0760f
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 2A2107329082284BC3249B59C48163BF7E4EF99704F06C63EEAC4A7295E7359D15C7E6

Function 00D067EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204c96622cc7e98f3b6264d36aa90a6092e3d862e95f84cdea7dcb4af2ccd14b
Instruction ID: 3a371261acab951b431731236ec4ce7492a8b286f01968844ab65187e3606f57
Opcode Fuzzy Hash: 204c96622cc7e98f3b6264d36aa90a6092e3d862e95f84cdea7dcb4af2ccd14b
Instruction Fuzzy Hash: 5E3116705183829AE714CF14C49066FBBF0EF96784F54980DF4C8AB2A1D734D995CBAA

Function 00CE5E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3f735281d99a1b3dbf71a3fffa903c21fad804e87973f48f5eeb5462ba5522
Instruction ID: 652ee919b995aaa5fe072f13445f7e7c521b010fd64b78b03653722155fa1945
Opcode Fuzzy Hash: fe3f735281d99a1b3dbf71a3fffa903c21fad804e87973f48f5eeb5462ba5522
Instruction Fuzzy Hash: 6A21A1B55086419BC310AF19C85192BB7F4EF96768F44890CF4D99B292E338CA00DBA3

Function 00CC49A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 58d2b123a42d1dfd012b86ba9db8f5fd52cee087e5ee5533dc8116a5ba0db27f
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: 6331E5316482109BD7189E59D8A0F2BB7E1EF84359F18C92CE8AACB241D231DD43DB86

Function 00D064B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2aff660855c5ee040c223a3ad4ea7591bd8c53bb8b1a6bc0798ec7e434010d
Instruction ID: 96a3c28ade0e81362577d1d6cc3fe0326283b7d7c3a10a0a5191097c25f96365
Opcode Fuzzy Hash: 8c2aff660855c5ee040c223a3ad4ea7591bd8c53bb8b1a6bc0798ec7e434010d
Instruction Fuzzy Hash: 8821397050C241EBD705EF19E480A2EFBE6EB95745F18881CE4C8973A1C735E861CB72

Function 00D05700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a92d525dd3ee52670f64a47c1e21ca7bc1e2c77543cba9f212dcbe139872351
Instruction ID: 410b7621fe6425bcfcf2c09cc8139f92df25c3459c1dd999e29548c1a500c688
Opcode Fuzzy Hash: 1a92d525dd3ee52670f64a47c1e21ca7bc1e2c77543cba9f212dcbe139872351
Instruction Fuzzy Hash: 17118F71518240EBD701AF28E844B5BBBE5DF86710F058828E8C89B351D735D811CBB2

Function 00CFB650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4c3bfe1e84b7ca67dda76ed05d4c4163c28da65c3bf2189c268d2c2c1e29199a
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 6F11E933A051DD0EC31A8D3CC840575BFA31AA7234B594399F4B4DB2D2D7228E8A8356

Function 00CF0B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: ea49dc14b82825fc3aae0dbaad73ebd0d80ada8680f7577c024bc5ec488ff0f2
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: 3B01D4F1A0030647E760DE51D8D0F3BB3A86F80B18F28452CEA1A47303DB71ED06E692

Function 00CED1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506b0f2e1f10ec3f2033e00dc38baaa05a1b262a3326e18cf312c26f293dc11b
Instruction ID: a21ecaf3fc656217c389bbc45d6e1addd4e1d1da99085df704602ed1420fd1ab
Opcode Fuzzy Hash: 506b0f2e1f10ec3f2033e00dc38baaa05a1b262a3326e18cf312c26f293dc11b
Instruction Fuzzy Hash: 0111DBB0408380AFD3109F618484A2FFBE5EBA6B54F248C0DF6A59B251C379E819CB56

Function 00CC6EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffda32fc64425e7646656e61b1e86f53da8e2d60b08447131583f8a03fd42720
Instruction ID: 4fc6a33632791ef3c0334ef449f39279a11e2105959a987d7a0141e0211d7253
Opcode Fuzzy Hash: ffda32fc64425e7646656e61b1e86f53da8e2d60b08447131583f8a03fd42720
Instruction Fuzzy Hash: C4F0243A71820A0BA210CDAAE8C0E3BB396D7C9364B04153DEA85C3201CDB2E80281A4

Function 00CFB8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 00CDC5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00CDB410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: beb3f7d1411df43ecab24e804a027fc279377ef878399a6fd2a75c4df04e216f
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 34F0ECB160451097DF22CA549CC0F3BBBDCCB97354F1A0427E94557303D2616C45C3E5

Function 00CF8220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc031dcfde7b3a43d446f66c9e1a1b03d4afa13087da6e0ec9dc2a4a72d475a
Instruction ID: f3055d07a1b4d57dbe0f57d8ea82d8ad1faa14c80254c7b65c9af8f2443a9eac
Opcode Fuzzy Hash: abc031dcfde7b3a43d446f66c9e1a1b03d4afa13087da6e0ec9dc2a4a72d475a
Instruction Fuzzy Hash: 2B01E4B04107009FD360EF29C445757BBE8EB48714F004A1DE8AECB780D770A5448B92

Function 00D01440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: be9b6a51836953cfe8c2abb2df443f58ae0166756bccb745e38e1c0b6e035421
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 82D0A73560832146DF748E19A400A77F7F0EAC7B11F4D955EF58AE3198D230DC41C2B9

Function 00CD1ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dff9fa3cd5a73e14c598c07991a3846c12fe44380443f5301a187b7c3d1857
Instruction ID: 39de7df2aebb7b17841f4ab9555e4cde4458eb376ac138cbe225a2646de08eb2
Opcode Fuzzy Hash: 01dff9fa3cd5a73e14c598c07991a3846c12fe44380443f5301a187b7c3d1857
Instruction Fuzzy Hash: BFC08C34A182009BC204CF41FCD5672B3F8A307308720B03AEE0BF3B21CA60D4029929

Function 00D06094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e1544100a5d5f39bde21c19302ff84563eca30bfa34f1697561139d3b44105
Instruction ID: 1436e6cdf5ecceffb1c924a74dab916af2a5e7092aadc2fbddedfe19a8ebef77
Opcode Fuzzy Hash: 54e1544100a5d5f39bde21c19302ff84563eca30bfa34f1697561139d3b44105
Instruction Fuzzy Hash: 6FC04C34A5C100969508CE04EA515B5E6A69A97654724F019C84763396D528D513993C

Function 00CD1A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54ab3c466251b0123f5156b64611dc049f62e95be1abce08618e2d6dbd6b51f
Instruction ID: ab734cd87153396b14db8023e39725f54e5402e86b57e66912a07dac07349ebc
Opcode Fuzzy Hash: b54ab3c466251b0123f5156b64611dc049f62e95be1abce08618e2d6dbd6b51f
Instruction Fuzzy Hash: EFC09B34A59144CBC254CF86E8D1631B3FC5307208724303B9F0BF7761C560D4059519

Function 00D05FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1390792393.0000000000CC1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00CC0000, based on PE: true

Associated: 00000000.00000002.1390775217.0000000000CC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000EA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000F85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1390830935.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391081695.0000000000FCD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391211807.000000000116C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1391231676.000000000116D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3423f9d56d3d39b000b44b6d9b40f3de907fad3ecb9f7ca6cb1ed31699b2cd8
Instruction ID: 4c2401dfff76a8c01eb5e45b0e374bf07101f4e273e267f87da188bfbd3f26fb
Opcode Fuzzy Hash: f3423f9d56d3d39b000b44b6d9b40f3de907fad3ecb9f7ca6cb1ed31699b2cd8
Instruction Fuzzy Hash: 3BC09B2476C10057964CCF14DE51575F2F69B87514714F01DC807F3357E534D513851C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
file.exe

Function 00D050FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 00CCFCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 00CCD110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00D05BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00D0695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 00CD049B Relevance: .3, Instructions: 264
COMMON

Function 00CD0228 Relevance: .2, Instructions: 218
COMMON

Function 00D03220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00D03202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON