Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1531487
MD5:	e4c770f6fda588b14a87528fd955926c
SHA1:	7da417cf6be67062cc4a2a4dd78463733bc5f678
SHA256:	02b9b0b718e95eac3e42a21d89d42b8a9da1ddbb8da5ceecd0925555668aed6f
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E4C770F6FDA588B14A87528FD955926C)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["eaglepawnoy.store", "bathdoomgaz.store", "mobbipenju.store", "dissapoiznw.store", "clearancek.site", "studennotediw.store", "spirittunek.store", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:41.732591+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.5	51119	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:41.672062+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.5	49670	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:41.709857+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.5	55049	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:41.698111+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.5	50856	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:41.753921+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.5	53723	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:41.685787+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.5	51271	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:41.743515+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.5	56512	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:41.721394+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.5	58145	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-11T09:45:42.864527+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49704	23.192.247.89	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7120.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["eaglepawnoy.store", "bathdoomgaz.store", "mobbipenju.store", "dissapoiznw.store", "clearancek.site", "studennotediw.store", "spirittunek.store", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: eaglepawnoy.store	Virustotal: Detection: 18%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 21%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 21%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 21%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 18%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 21%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.store
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.store
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.store
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.store
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.store
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.store
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D850FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D4D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D4D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00D863B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00D899D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00D8695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00D4FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00D86094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00D84040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00D41000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00D7F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00D56F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00D6D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00D542FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00D62260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00D62260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00D723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00D723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00D723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00D723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00D723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00D723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00D4A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00D864B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D5D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00D81440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00D6C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00D5B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00D6E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00D48590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D69510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00D56536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00D87520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00D7B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00D6E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00D867EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00D6D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00D87710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D85700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00D628E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00D449A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00D5D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00D83920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00D51ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00D45A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00D84A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00D51A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00D53BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00D51BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00D70B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00D89B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00D5DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00D5DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00D6CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D6CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00D6CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D89CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00D89CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00D6AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00D6AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00D6EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00D67C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00D7FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D88D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00D6FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00D6DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00D50EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00D51E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00D4BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00D56EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00D46EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00D6AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D65E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00D67E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00D54E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00D48FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00D5FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00D85FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00D87FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D87FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00D56F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00D7FF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00D69F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:56512 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:50856 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:49670 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:58145 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:51119 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:53723 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:51271 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:55049 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 23.192.247.89:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: dissapoiznw.store
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: spirittunek.store
Source: Malware configuration extractor	URLs: licendfilteo.site

Source: Joe Sandbox View

IP Address: 23.192.247.89 23.192.247.89

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=dfaa5f27339075f537a79bad; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 11 Oct 2024 07:45:42 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hf
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aU
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2037155601.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000002.2037155601.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900t
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.2037266220.0000000001639000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036361909.0000000001638000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001637000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900L
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037266220.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000002.2037266220.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D50228	0_2_00D50228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8A0D0	0_2_00D8A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D84040	0_2_00D84040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F04C	0_2_00E7F04C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023	0_2_00F11023
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D41000	0_2_00D41000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D52030	0_2_00D52030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D471F0	0_2_00D471F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4E1A0	0_2_00D4E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D45160	0_2_00D45160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F06134	0_2_00F06134
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D782D0	0_2_00D782D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D712D0	0_2_00D712D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D412F7	0_2_00D412F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0B29D	0_2_00F0B29D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D723E0	0_2_00D723E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4B3A0	0_2_00D4B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D413A3	0_2_00D413A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4A300	0_2_00D4A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D764F0	0_2_00D764F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5049B	0_2_00D5049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D54487	0_2_00D54487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6C470	0_2_00D6C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F10449	0_2_00F10449
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5C5F0	0_2_00D5C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D48590	0_2_00D48590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D435B0	0_2_00D435B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D886F0	0_2_00D886F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D88652	0_2_00D88652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4164F	0_2_00D4164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0463D	0_2_00F0463D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7F620	0_2_00D7F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7B8C0	0_2_00D7B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7E8A0	0_2_00D7E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4A850	0_2_00D4A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D71860	0_2_00D71860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2981F	0_2_00E2981F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EFF9CC	0_2_00EFF9CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA89C2	0_2_00EA89C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6098B	0_2_00D6098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D889A0	0_2_00D889A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0E91D	0_2_00F0E91D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F02AC8	0_2_00F02AC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D88A80	0_2_00D88A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D87AB0	0_2_00D87AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3DA92	0_2_00E3DA92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D84A40	0_2_00D84A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D47BF0	0_2_00D47BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F07BB0	0_2_00F07BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5DB6F	0_2_00D5DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6CCD0	0_2_00D6CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E37CA1	0_2_00E37CA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D86CBF	0_2_00D86CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF1C85	0_2_00EF1C85
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D88C02	0_2_00D88C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DCFD96	0_2_00DCFD96
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D68D62	0_2_00D68D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6FD10	0_2_00D6FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6DD29	0_2_00D6DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4BEB0	0_2_00D4BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D56EBF	0_2_00D56EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6AE57	0_2_00D6AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D88E70	0_2_00D88E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D54E2A	0_2_00D54E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D48FD0	0_2_00D48FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D87FC0	0_2_00D87FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4AF10	0_2_00D4AF10

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D5D300 appears 152 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00D4CAA0 appears 48 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9994585396039604
Source: file.exe	Static PE information: Section: khlvkmgd ZLIB complexity 0.9942170439035487

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D78220 CoCreateInstance,

0_2_00D78220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 1858048 > 1048576

Source: file.exe

Static PE information: Raw size of khlvkmgd is bigger than: 0x100000 < 0x19c200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.d40000.0.unpack :EW;.rsrc :W;.idata :W; :EW;khlvkmgd:EW;wdpcnvtj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;khlvkmgd:EW;wdpcnvtj:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1cd6b6 should be: 0x1d02ff

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: khlvkmgd
Source: file.exe	Static PE information: section name: wdpcnvtj
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDA0FC push ecx; mov dword ptr [esp], 3CF78E01h	0_2_00FDA113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DA30C0 push 152B21E2h; mov dword ptr [esp], eax	0_2_00DA312C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F310D0 push edi; mov dword ptr [esp], ecx	0_2_00F310E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCC0BB push 4E6E2586h; mov dword ptr [esp], ebp	0_2_00FCC132
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCC0BB push 1C3BC0C8h; mov dword ptr [esp], esi	0_2_00FCC155
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA40A9 push edi; mov dword ptr [esp], 0DA04E00h	0_2_00FA40B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA50A4 push esi; mov dword ptr [esp], ebp	0_2_00FA518A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3809A push 5BD0C7D3h; mov dword ptr [esp], ecx	0_2_00F380EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3809A push edx; mov dword ptr [esp], ebp	0_2_00F38133
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD406B push 39A46100h; mov dword ptr [esp], ecx	0_2_00FD40E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F04C push 7106D773h; mov dword ptr [esp], edx	0_2_00E7F065
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F04C push ebp; mov dword ptr [esp], 61F186CDh	0_2_00E7F0BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F04C push 5A224ECCh; mov dword ptr [esp], ecx	0_2_00E7F1A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push eax; mov dword ptr [esp], ecx	0_2_00F10FFE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push edx; mov dword ptr [esp], edi	0_2_00F11033
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push 2041A31Bh; mov dword ptr [esp], ebx	0_2_00F110F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push 7843AFFBh; mov dword ptr [esp], ecx	0_2_00F11145
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push esi; mov dword ptr [esp], 3BC17DC8h	0_2_00F11172
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push esi; mov dword ptr [esp], 0000142Ch	0_2_00F111EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push eax; mov dword ptr [esp], ebp	0_2_00F11200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push ecx; mov dword ptr [esp], 6F9B0DA3h	0_2_00F11284
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push 2115C3BCh; mov dword ptr [esp], ebx	0_2_00F11306
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push edx; mov dword ptr [esp], ebp	0_2_00F11400
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11023 push ebp; mov dword ptr [esp], ecx	0_2_00F11456
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F68020 push 04A4DA44h; mov dword ptr [esp], eax	0_2_00F680B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1A1BD push ebp; mov dword ptr [esp], 00000004h	0_2_00F1A1CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5E1BB push ebp; mov dword ptr [esp], 35BA04BFh	0_2_00F5E1DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC1180 push ebp; mov dword ptr [esp], esi	0_2_00FC14CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F06134 push 3481BA9Ch; mov dword ptr [esp], eax	0_2_00F06140
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F06134 push 1F0233E6h; mov dword ptr [esp], ebx	0_2_00F06173
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F06134 push 57CE862Bh; mov dword ptr [esp], ecx	0_2_00F0618D

Source: file.exe	Static PE information: section name: entropy: 7.97771484946437
Source: file.exe	Static PE information: section name: khlvkmgd entropy: 7.952694993737371

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F15E89 second address: F15E8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F15E8D second address: F15E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEF80 second address: EFEF90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F154DF second address: F154E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F154E3 second address: F154F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA828F76C86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d ja 00007FA828F76C86h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F154F7 second address: F15508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA828F7885Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F15508 second address: F1550C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1566F second address: F15693 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA828F78856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA828F78866h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F15693 second address: F156A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007FA828F76C86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FA828F76C86h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F156A9 second address: F156AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F157D6 second address: F157DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1860B second address: F18612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F18612 second address: F1868D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FA828F76C88h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D3B0Ah] 0x0000002a jo 00007FA828F76C8Ch 0x00000030 mov ecx, dword ptr [ebp+122D3BA2h] 0x00000036 mov ecx, dword ptr [ebp+122D3BCAh] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FA828F76C88h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 add dh, 00000072h 0x0000005b push B9535EFBh 0x00000060 push eax 0x00000061 push edx 0x00000062 jns 00007FA828F76C8Ch 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1868D second address: F1870B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FA828F78856h 0x00000009 js 00007FA828F78856h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 add dword ptr [esp], 46ACA185h 0x00000019 mov esi, dword ptr [ebp+122D3AF6h] 0x0000001f push 00000003h 0x00000021 jmp 00007FA828F78865h 0x00000026 call 00007FA828F78869h 0x0000002b movzx edx, bx 0x0000002e pop esi 0x0000002f push 00000000h 0x00000031 or dword ptr [ebp+122D21DDh], ebx 0x00000037 push 00000003h 0x00000039 mov esi, dword ptr [ebp+122D3996h] 0x0000003f push 896DDD9Ah 0x00000044 pushad 0x00000045 jmp 00007FA828F78862h 0x0000004a push edi 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F187C6 second address: F187CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F187CC second address: F187FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jl 00007FA828F78860h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnp 00007FA828F78856h 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FA828F7885Fh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F187FA second address: F18894 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FA828F76C88h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 jmp 00007FA828F76C98h 0x00000027 call 00007FA828F76C8Bh 0x0000002c movsx ecx, di 0x0000002f pop edi 0x00000030 push 00000003h 0x00000032 mov ecx, edx 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+122D2509h], ecx 0x0000003c push 00000003h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FA828F76C88h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 0000001Bh 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 call 00007FA828F76C89h 0x0000005d pushad 0x0000005e jnp 00007FA828F76C88h 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F18A61 second address: F18A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA828F78856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F18A6B second address: F18A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38FD9 second address: F38FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38FDD second address: F38FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38FE1 second address: F38FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38FE9 second address: F38FEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38FEF second address: F38FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F36FE8 second address: F36FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F36FEC second address: F36FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F36FF0 second address: F36FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37163 second address: F3716F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FA828F78856h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F376E3 second address: F37700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA828F76C98h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F379D7 second address: F379DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F379DC second address: F37A05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FA828F76C86h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37A05 second address: F37A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37A09 second address: F37A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FA828F76C8Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37B8C second address: F37B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37B91 second address: F37BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnc 00007FA828F76C86h 0x00000011 jmp 00007FA828F76C96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B9D1 second address: F2B9D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38154 second address: F38167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C8Eh 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38167 second address: F3817D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA828F7885Ch 0x00000008 jg 00007FA828F78856h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3817D second address: F38181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38181 second address: F3818B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA828F78856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3818B second address: F38197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38197 second address: F3819D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3819D second address: F381A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F381A3 second address: F381B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F78862h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38928 second address: F38930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38930 second address: F3893F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FA828F78856h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BF5F second address: F3BF63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BF63 second address: F3BF6D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA828F78856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F076D9 second address: F076E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F076E1 second address: F076E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FC61 second address: F3FCB4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edx 0x0000000b jc 00007FA828F76C8Ch 0x00000011 jno 00007FA828F76C86h 0x00000017 pop edx 0x00000018 mov eax, dword ptr [eax] 0x0000001a je 00007FA828F76C9Fh 0x00000020 jl 00007FA828F76C99h 0x00000026 jmp 00007FA828F76C93h 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 jmp 00007FA828F76C90h 0x00000037 pushad 0x00000038 popad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FCB4 second address: F3FCB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FCB9 second address: F3FCBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F43144 second address: F43148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F43148 second address: F4314C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4314C second address: F43190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F7885Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA828F78867h 0x00000010 jmp 00007FA828F78862h 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007FA828F78856h 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42621 second address: F42638 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007FA828F76C86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FA828F76C8Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42638 second address: F4264E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F78862h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4264E second address: F42653 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F45CAB second address: F45CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F45CB0 second address: F45CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F45CB8 second address: F45CD6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA828F78856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FA828F78861h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05C4E second address: F05C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4644B second address: F46456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA828F78856h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46456 second address: F4645B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46567 second address: F4656B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46842 second address: F46848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4690D second address: F46916 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F46BD8 second address: F46BED instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA828F76C8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47110 second address: F47115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47115 second address: F4711B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4711B second address: F4711F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47148 second address: F47163 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47163 second address: F471AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007FA828F78856h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jns 00007FA828F78856h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 jng 00007FA828F78856h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 jnl 00007FA828F7886Ch 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jnp 00007FA828F78858h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F471AE second address: F471B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F471B3 second address: F471B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4726F second address: F4727A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA828F76C86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4733C second address: F47342 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47509 second address: F4750D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4750D second address: F47511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47681 second address: F47688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47688 second address: F476BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA828F78869h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA828F78862h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4773F second address: F47743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47743 second address: F47788 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA828F78856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA828F78860h 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FA828F78858h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47788 second address: F4778C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4778C second address: F47796 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA828F78856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F47796 second address: F4779C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4779C second address: F477A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F48F5C second address: F48F80 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FA828F76C8Dh 0x0000000f jmp 00007FA828F76C8Ch 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4A1AB second address: F4A1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AE40 second address: F4AE4A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA828F76C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4AE4A second address: F4AE54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FA828F78856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4B657 second address: F4B661 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA828F76C8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4C0F7 second address: F4C0FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4B661 second address: F4B677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA828F76C8Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4CE52 second address: F4CE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F52194 second address: F521A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA828F76C8Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F521A3 second address: F521A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F512C0 second address: F512E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jng 00007FA828F76C8Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F533E6 second address: F533EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F533EA second address: F533EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54298 second address: F542B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA828F78860h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F534E1 second address: F534FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA828F76C97h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F535B9 second address: F535BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F57181 second address: F571D9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA828F76C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e xor ebx, dword ptr [ebp+122D2018h] 0x00000014 push 00000000h 0x00000016 mov bx, cx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FA828F76C88h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 jmp 00007FA828F76C8Ch 0x0000003a jnl 00007FA828F76C89h 0x00000040 push eax 0x00000041 je 00007FA828F76C90h 0x00000047 pushad 0x00000048 push eax 0x00000049 pop eax 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5638C second address: F56393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F580DC second address: F58164 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov bh, dh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FA828F76C88h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b push esi 0x0000002c mov bx, cx 0x0000002f pop ebx 0x00000030 sub di, 3101h 0x00000035 mov dword ptr [ebp+122D1A19h], eax 0x0000003b push 00000000h 0x0000003d call 00007FA828F76C91h 0x00000042 jmp 00007FA828F76C97h 0x00000047 pop edi 0x00000048 xchg eax, esi 0x00000049 push ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c jnc 00007FA828F76C86h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F57344 second address: F5735A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F78862h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A4DE second address: F5A565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 js 00007FA828F76C86h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FA828F76C88h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push dword ptr fs:[00000000h] 0x00000033 push eax 0x00000034 mov ebx, dword ptr [ebp+122D3B5Ah] 0x0000003a pop edi 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 jmp 00007FA828F76C95h 0x00000047 mov eax, dword ptr [ebp+122D105Dh] 0x0000004d push FFFFFFFFh 0x0000004f jmp 00007FA828F76C92h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 pushad 0x00000059 popad 0x0000005a jnc 00007FA828F76C86h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5A565 second address: F5A56F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FA828F78856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F59363 second address: F59367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5C51E second address: F5C538 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F78863h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F59431 second address: F59435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F59435 second address: F59458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F78863h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FA828F78858h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E823 second address: F5E8A5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FA828F76C8Ah 0x0000000d nop 0x0000000e or ebx, dword ptr [ebp+122DBAF4h] 0x00000014 push dword ptr fs:[00000000h] 0x0000001b clc 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov bx, ax 0x00000026 xor dword ptr [ebp+122D1F32h], ecx 0x0000002c mov eax, dword ptr [ebp+122D0441h] 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007FA828F76C88h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c mov ebx, edx 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edi 0x00000053 call 00007FA828F76C88h 0x00000058 pop edi 0x00000059 mov dword ptr [esp+04h], edi 0x0000005d add dword ptr [esp+04h], 00000014h 0x00000065 inc edi 0x00000066 push edi 0x00000067 ret 0x00000068 pop edi 0x00000069 ret 0x0000006a nop 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5E8A5 second address: F5E8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA828F78856h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5F80B second address: F5F824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5F824 second address: F5F8C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FA828F7885Eh 0x0000000d nop 0x0000000e mov di, 792Ah 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov di, cx 0x0000001c mov edi, dword ptr [ebp+122D224Dh] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007FA828F78858h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 movzx edi, bx 0x00000046 mov eax, dword ptr [ebp+122D0ECDh] 0x0000004c mov dword ptr [ebp+122D219Dh], esi 0x00000052 mov edi, 504E8DDEh 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push edx 0x0000005c call 00007FA828F78858h 0x00000061 pop edx 0x00000062 mov dword ptr [esp+04h], edx 0x00000066 add dword ptr [esp+04h], 00000017h 0x0000006e inc edx 0x0000006f push edx 0x00000070 ret 0x00000071 pop edx 0x00000072 ret 0x00000073 and di, 55FFh 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007FA828F7885Eh 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5F8C3 second address: F5F8C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5F8C9 second address: F5F8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F607CC second address: F607D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65DA5 second address: F65DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FA828F78865h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65DC0 second address: F65DE0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA828F76C86h 0x00000008 jng 00007FA828F76C86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007FA828F76C86h 0x0000001a jnc 00007FA828F76C86h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65DE0 second address: F65E12 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA828F78856h 0x00000008 jmp 00007FA828F78861h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA828F78863h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65E12 second address: F65E1C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA828F76C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0E432 second address: F0E436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0E436 second address: F0E43A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0E43A second address: F0E45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA828F78856h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FA828F78861h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B16F second address: F6B187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B187 second address: F6B190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B190 second address: F6B19E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA828F76C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B19E second address: F6B1A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A890 second address: F6A894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A894 second address: F6A8A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F78860h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A9F6 second address: F6A9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6A9FB second address: F6AA30 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA828F78866h 0x00000008 jno 00007FA828F78856h 0x0000000e jmp 00007FA828F7885Ah 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 jmp 00007FA828F78861h 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AA30 second address: F6AA36 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AA36 second address: F6AA40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FA828F78856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AD26 second address: F6AD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AD2C second address: F6AD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EAD3 second address: F6EAE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA828F76C8Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EAE5 second address: F6EAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6EAE9 second address: F6EAED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F71D51 second address: F71D7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F7885Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jg 00007FA828F7885Eh 0x00000014 push eax 0x00000015 ja 00007FA828F78856h 0x0000001b pop eax 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jnl 00007FA828F78858h 0x00000026 push edi 0x00000027 pop edi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F71E98 second address: F71E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F71E9C second address: F71F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jl 00007FA828F78866h 0x00000012 jmp 00007FA828F78860h 0x00000017 jmp 00007FA828F78868h 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jnc 00007FA828F7885Ch 0x00000026 je 00007FA828F7886Ah 0x0000002c jmp 00007FA828F78864h 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007FA828F78865h 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78CEF second address: F78D34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA828F76C92h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c je 00007FA828F76CB8h 0x00000012 jmp 00007FA828F76C98h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FA828F76C8Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78146 second address: F7814B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7814B second address: F78170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA828F76C95h 0x00000010 push esi 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78170 second address: F78175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F782CD second address: F782FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA828F76C86h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop esi 0x00000013 jnp 00007FA828F76C92h 0x00000019 jp 00007FA828F76C86h 0x0000001f js 00007FA828F76C86h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FA828F76C8Bh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78449 second address: F7844F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7844F second address: F78454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F785C6 second address: F785CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F785CA second address: F785D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F785D0 second address: F785DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA828F78856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F785DA second address: F785DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7872E second address: F7874C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F78860h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FA828F78856h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F78B6C second address: F78B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F040F7 second address: F040FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F040FB second address: F0410B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FA828F76C86h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DE4D second address: F4DE6D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA828F78856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jnp 00007FA828F78856h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA828F7885Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DE6D second address: F4DED5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007FA828F76C97h 0x0000000f jmp 00007FA828F76C8Dh 0x00000014 pop edi 0x00000015 mov dl, bh 0x00000017 lea eax, dword ptr [ebp+1247DBCDh] 0x0000001d mov dword ptr [ebp+1244F000h], esi 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FA828F76C99h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DED5 second address: F4DED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DED9 second address: F4DEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4DEDF second address: F2B9D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA828F78864h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 call 00007FA828F7885Ch 0x00000015 mov ecx, esi 0x00000017 pop edi 0x00000018 call dword ptr [ebp+122D1807h] 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 je 00007FA828F78856h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E464 second address: F4E468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E468 second address: F4E46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E4FF second address: F4E558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push esi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop esi 0x0000000f pop esi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jbe 00007FA828F76C9Fh 0x0000001a push eax 0x0000001b jmp 00007FA828F76C97h 0x00000020 pop eax 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jno 00007FA828F76C86h 0x0000002c jmp 00007FA828F76C8Dh 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E558 second address: F4E55D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E55D second address: F4E56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E56F second address: F4E57A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA828F78856h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E67D second address: F4E6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007FA828F76C99h 0x0000000b jmp 00007FA828F76C93h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 jmp 00007FA828F76C92h 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E79E second address: F4E7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4E7A3 second address: F4E7AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FA828F76C86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EA42 second address: F4EA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EA49 second address: F4EAA6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007FA828F76C86h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FA828F76C88h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov dx, C42Dh 0x0000002d adc cx, 7E72h 0x00000032 push 00000004h 0x00000034 push ebx 0x00000035 mov dx, di 0x00000038 pop edx 0x00000039 push eax 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FA828F76C99h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EAA6 second address: F4EAAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4F2D6 second address: F4F2DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4F2DB second address: F2C4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov cx, 9D48h 0x0000000e call dword ptr [ebp+122D18C4h] 0x00000014 jc 00007FA828F7886Ah 0x0000001a jmp 00007FA828F78864h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2C4AA second address: F2C4CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C93h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f je 00007FA828F76C8Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F092AA second address: F092AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F092AF second address: F092E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C93h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA828F76C8Bh 0x00000015 pushad 0x00000016 jo 00007FA828F76C86h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F092E1 second address: F09307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F78866h 0x00000009 jmp 00007FA828F7885Bh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C4FB second address: F7C4FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C903 second address: F7C90C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C90C second address: F7C912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CA83 second address: F7CA87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CA87 second address: F7CA8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CA8B second address: F7CAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F78863h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CAA8 second address: F7CAB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CAB8 second address: F7CABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CD61 second address: F7CD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CD6C second address: F7CD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FA828F78856h 0x0000000d jmp 00007FA828F7885Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CD88 second address: F7CD8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CD8C second address: F7CD94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CD94 second address: F7CD9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FA828F76C86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7CEE5 second address: F7CEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FA828F78856h 0x0000000c popad 0x0000000d pop edx 0x0000000e js 00007FA828F78860h 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8122B second address: F81231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F81231 second address: F81235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8AC1E second address: F8AC5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C8Ah 0x00000007 jmp 00007FA828F76C98h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnc 00007FA828F76C9Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0C82D second address: F0C850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F7885Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA828F7885Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0C850 second address: F0C86A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C91h 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A4D2 second address: F8A4D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A622 second address: F8A632 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA828F76C86h 0x00000008 jng 00007FA828F76C86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A91B second address: F8A928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FA828F78856h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A928 second address: F8A957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C94h 0x00000007 jmp 00007FA828F76C8Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jno 00007FA828F76C86h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8A957 second address: F8A976 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FA828F7886Bh 0x0000000e jmp 00007FA828F7885Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EF4B second address: F8EF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EF4F second address: F8EF55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EF55 second address: F8EF5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EF5B second address: F8EF77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FA828F7885Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EF77 second address: F8EF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EF7C second address: F8EF81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8EF81 second address: F8EF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F0D2 second address: F8F0F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jng 00007FA828F78856h 0x00000010 push edx 0x00000011 pop edx 0x00000012 jno 00007FA828F78856h 0x00000018 popad 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F0F0 second address: F8F0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C8Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F5C8 second address: F8F5EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F7885Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA828F78863h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F5EC second address: F8F5F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA828F76C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F5F9 second address: F8F60F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jnl 00007FA828F78856h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F60F second address: F8F619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA828F76C86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F619 second address: F8F623 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA828F78856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F623 second address: F8F631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FA828F76C8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F789 second address: F8F78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9482B second address: F94855 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA828F76C9Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FA828F76C86h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F94855 second address: F9485F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA828F78856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9485F second address: F9486F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a js 00007FA828F76C86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9429D second address: F942AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FA828F7885Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F942AD second address: F942B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F942B1 second address: F942BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FA828F78856h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96746 second address: F9674D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9674D second address: F96772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA828F78856h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA828F78864h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96772 second address: F9678F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FA828F76C97h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9678F second address: F96799 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F96799 second address: F967AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C91h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F99FF1 second address: F9A002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F7885Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A002 second address: F9A010 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA828F76C88h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A010 second address: F9A014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A014 second address: F9A018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A018 second address: F9A01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A18C second address: F9A190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A190 second address: F9A195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A195 second address: F9A19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A19B second address: F9A1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A338 second address: F9A344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A5A4 second address: F9A5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9F8D0 second address: F9F8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA828F76C86h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FA79 second address: F9FA8D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c jo 00007FA828F7885Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FBD6 second address: F9FBE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA828F76C86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FBE0 second address: F9FC07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA828F78869h 0x0000000d jnp 00007FA828F78856h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FC07 second address: F9FC0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FE79 second address: F9FE80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FE80 second address: F9FE96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FA828F76C86h 0x00000009 ja 00007FA828F76C86h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FE96 second address: F9FEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FA828F78856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FEA0 second address: F9FEA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9FEA4 second address: F9FEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA828F78856h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FA828F78856h 0x00000017 jnl 00007FA828F78856h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0015 second address: FA0030 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C96h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EC01 second address: F4EC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F7885Bh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FA828F7885Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EC1F second address: F4EC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EC2C second address: F4EC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EC35 second address: F4EC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4EC39 second address: F4EC92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F7885Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b or ecx, dword ptr [ebp+122D3AFEh] 0x00000011 mov ebx, dword ptr [ebp+1247DC0Ch] 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007FA828F78858h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 add ecx, dword ptr [ebp+122D3A62h] 0x00000037 add eax, ebx 0x00000039 mov edi, dword ptr [ebp+122D2176h] 0x0000003f mov edx, dword ptr [ebp+122D2106h] 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 jnl 00007FA828F78856h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA4D9C second address: FA4DA1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA43D3 second address: FA43E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA828F7885Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA43E4 second address: FA43EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FA828F76C86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA496A second address: FA499E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA828F78856h 0x0000000a jbe 00007FA828F78869h 0x00000010 jmp 00007FA828F78861h 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push edi 0x0000001b pop edi 0x0000001c pop edx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007FA828F78858h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAAFA9 second address: FAAFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB7F2 second address: FAB7FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FA828F78856h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FABB40 second address: FABB45 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FABB45 second address: FABB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FA828F78862h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FA828F78880h 0x00000012 push ebx 0x00000013 je 00007FA828F78856h 0x00000019 jno 00007FA828F78856h 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jne 00007FA828F78856h 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC180 second address: FAC196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA828F76C90h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC196 second address: FAC19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC19A second address: FAC1BC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA828F76C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FA828F76C92h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC1BC second address: FAC1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC1C4 second address: FAC1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA828F76C86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC4DD second address: FAC4E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC4E1 second address: FAC4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FA828F76C88h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC4EF second address: FAC504 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA828F7885Eh 0x00000008 jnc 00007FA828F78856h 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC812 second address: FAC822 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA828F76C86h 0x00000008 jne 00007FA828F76C86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC822 second address: FAC82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007FA828F78856h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC82D second address: FAC84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FA828F76C8Ch 0x0000000f jmp 00007FA828F76C8Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC84D second address: FAC857 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA828F7885Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FACDA8 second address: FACDD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA828F76C90h 0x0000000c jmp 00007FA828F76C96h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB1A91 second address: FB1AA3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FA828F7885Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB4E23 second address: FB4E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB4FC9 second address: FB4FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB52CC second address: FB52D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB52D0 second address: FB52D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB5727 second address: FB572D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB572D second address: FB5731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB5731 second address: FB5745 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jnc 00007FA828F76C86h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD67C second address: FBD680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBDBF5 second address: FBDC0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE049 second address: FBE04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE19C second address: FBE1BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA828F76C94h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE1BC second address: FBE1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBE339 second address: FBE33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBEB3E second address: FBEB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA828F78856h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF2C3 second address: FBF2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA828F76C86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF2CD second address: FBF2D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBF2D3 second address: FBF2D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD0CD second address: FBD0D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD0D1 second address: FBD0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD0DB second address: FBD0DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4AAA second address: FC4AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA828F76C86h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jc 00007FA828F76C86h 0x00000016 jmp 00007FA828F76C94h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4AD5 second address: FC4ADB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4ADB second address: FC4AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C8Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4961 second address: FC4972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA828F7885Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4972 second address: FC4976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC4976 second address: FC4986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FA828F78856h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7E29 second address: FC7E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FA828F76C86h 0x0000000d jc 00007FA828F76C86h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7E3C second address: FC7E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7E42 second address: FC7E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA828F76C97h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7E5D second address: FC7E6B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA828F78856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC7864 second address: FC786C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC79C4 second address: FC79E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FA828F78868h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC79E4 second address: FC7A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA828F76C86h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FA828F76C99h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD6A21 second address: FD6A28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD6A28 second address: FD6A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD6A2E second address: FD6A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD937A second address: FD937E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD937E second address: FD9398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F78862h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9398 second address: FD939E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD939E second address: FD93A6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD93A6 second address: FD93DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C8Bh 0x00000007 jg 00007FA828F76C9Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FA828F76C86h 0x00000018 jnc 00007FA828F76C86h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD93DF second address: FD93E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD93E3 second address: FD9409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C98h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FA828F76C8Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9409 second address: FD9412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9547 second address: FD954B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF792 second address: FDF7AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F78863h 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF7AA second address: FDF7B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDF7B0 second address: FDF7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA173 second address: FEA17B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA17B second address: FEA17F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA17F second address: FEA1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C96h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jng 00007FA828F76C86h 0x00000017 popad 0x00000018 push esi 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007FA828F76C86h 0x00000024 jnl 00007FA828F76C86h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA1BA second address: FEA1CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007FA828F78856h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEB7F6 second address: FEB7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEB7FA second address: FEB81F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FA828F78856h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FA828F78863h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEB81F second address: FEB823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0AD73 second address: F0AD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F7885Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEDAA3 second address: FEDAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1EBF second address: FF1EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1EC3 second address: FF1ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1ECE second address: FF1ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF200C second address: FF2026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C96h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF2026 second address: FF202C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF202C second address: FF204A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FA828F76C94h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF21E2 second address: FF21E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF21E8 second address: FF21ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF21ED second address: FF21F2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF2393 second address: FF2399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF26A1 second address: FF26B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F7885Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF26B3 second address: FF26B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF71C3 second address: FF71C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF71C9 second address: FF71E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1000E96 second address: 1000E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1000E9B second address: 1000EAB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FA828F76C86h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1009957 second address: 1009963 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FA828F78856h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1009963 second address: 100996F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FA828F76C86h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10097E1 second address: 10097E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10097E9 second address: 10097EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10097EF second address: 10097F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10097F9 second address: 100980D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA828F76C8Bh 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100980D second address: 1009811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102C183 second address: 102C18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jns 00007FA828F76C86h 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102FB06 second address: 102FB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102FDDA second address: 102FDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA828F76C95h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030419 second address: 103043B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA828F78862h 0x00000008 jbe 00007FA828F78856h 0x0000000e jns 00007FA828F78856h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jp 00007FA828F78893h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103043B second address: 1030462 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA828F76C86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA828F76C99h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030462 second address: 1030466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10305CC second address: 10305DC instructions: 0x00000000 rdtsc 0x00000002 je 00007FA828F76C86h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10305DC second address: 10305E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10306F7 second address: 103070B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F76C8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103070B second address: 103070F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103070F second address: 1030713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1030713 second address: 1030719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036548 second address: 1036555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FA828F76C86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1036555 second address: 10365A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA828F78862h 0x0000000b popad 0x0000000c pushad 0x0000000d jnp 00007FA828F7885Eh 0x00000013 jnl 00007FA828F78856h 0x00000019 push edi 0x0000001a pop edi 0x0000001b pushad 0x0000001c jnc 00007FA828F78856h 0x00000022 push eax 0x00000023 pop eax 0x00000024 jmp 00007FA828F78866h 0x00000029 popad 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103857D second address: 1038588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA828F76C86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5400D2D second address: 5400DE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F78869h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FA828F788B6h 0x0000000f jmp 00007FA828F7885Eh 0x00000014 add eax, ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 pushfd 0x00000019 jmp 00007FA828F7885Dh 0x0000001e xor al, 00000036h 0x00000021 jmp 00007FA828F78861h 0x00000026 popfd 0x00000027 pop ecx 0x00000028 pushfd 0x00000029 jmp 00007FA828F78861h 0x0000002e sub ax, 8A96h 0x00000033 jmp 00007FA828F78861h 0x00000038 popfd 0x00000039 popad 0x0000003a mov eax, dword ptr [eax+00000860h] 0x00000040 pushad 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 mov dx, si 0x00000047 popad 0x00000048 mov esi, 30AE291Bh 0x0000004d popad 0x0000004e test eax, eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FA828F78868h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5400DE2 second address: 5400DE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5400DE8 second address: 5400E06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA828F7885Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FA8995EE7BBh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5400E06 second address: 5400E0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5400E0A second address: 5400E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5400E10 second address: 5400E6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007FA828F76C8Eh 0x0000000b sbb esi, 311D46A8h 0x00000011 jmp 00007FA828F76C8Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test byte ptr [eax+04h], 00000005h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FA828F76C8Bh 0x00000027 adc cl, FFFFFFEEh 0x0000002a jmp 00007FA828F76C99h 0x0000002f popfd 0x00000030 movzx esi, dx 0x00000033 popad 0x00000034 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DA3CC5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F3E3B2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FCD8CB instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 2316	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6728	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2037048898.00000000015BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: file.exe, 00000000.00000002.2037266220.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2037155601.000000000161C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.000000000161C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: file.exe, 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D85BB0 LdrInitializeThunk,

0_2_00D85BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, file.exe, 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: LProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.ZPACK.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
eaglepawnoy.store	19%	Virustotal	Browse
spirittunek.store	22%	Virustotal	Browse
bathdoomgaz.store	22%	Virustotal	Browse
mobbipenju.store	22%	Virustotal	Browse
dissapoiznw.store	22%	Virustotal	Browse
clearancek.site	18%	Virustotal	Browse
studennotediw.store	18%	Virustotal	Browse
licendfilteo.site	16%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://player.vimeo.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://medal.tv	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://login.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://steam.tv/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
https://recaptcha.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://help.steampowered.com/	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://store.steampowered.com/;	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	0%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
https://www.google.com	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	0%	Virustotal		Browse
https://www.youtube.com	0%	Virustotal		Browse
bathdoomgaz.store	22%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	0%	Virustotal		Browse
studennotediw.store	18%	Virustotal		Browse
https://steamcommunity.com/profiles/76561199724331900t	0%	Virustotal		Browse
clearancek.site	18%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hf	0%	Virustotal		Browse
licendfilteo.site	16%	Virustotal		Browse
dissapoiznw.store	22%	Virustotal		Browse
spirittunek.store	22%	Virustotal		Browse
eaglepawnoy.store	19%	Virustotal		Browse
https://steamcommunity.com	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aU	0%	Virustotal		Browse
https://sketchfab.com	0%	Virustotal		Browse
https://www.youtube.com/	0%	Virustotal		Browse
https://steamcommunity.com/workshop/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	0%	Virustotal		Browse
mobbipenju.store	22%	Virustotal		Browse
https://steamcommunity.com/	0%	Virustotal		Browse
http://127.0.0.1:27060	0%	Virustotal		Browse
https://www.google.com/recaptcha/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	23.192.247.89	true	true	0%, Virustotal, Browse	unknown
eaglepawnoy.store	unknown	unknown	true	19%, Virustotal, Browse	unknown
bathdoomgaz.store	unknown	unknown	true	22%, Virustotal, Browse	unknown
spirittunek.store	unknown	unknown	true	22%, Virustotal, Browse	unknown
licendfilteo.site	unknown	unknown	true	16%, Virustotal, Browse	unknown
studennotediw.store	unknown	unknown	true	18%, Virustotal, Browse	unknown
mobbipenju.store	unknown	unknown	true	22%, Virustotal, Browse	unknown
clearancek.site	unknown	unknown	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	unknown	unknown	true	22%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bathdoomgaz.store	true	22%, Virustotal, Browse	unknown
studennotediw.store	true	18%, Virustotal, Browse	unknown
clearancek.site	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	true	22%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
spirittunek.store	true	22%, Virustotal, Browse	unknown
licendfilteo.site	true	16%, Virustotal, Browse	unknown
eaglepawnoy.store	true	19%, Virustotal, Browse	unknown
mobbipenju.store	true	22%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://player.vimeo.com	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f	file.exe, 00000000.00000002.2037266220.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/en/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/market/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net/recaptcha/;	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.youtube.com	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://medal.tv	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://broadcast.st.dl.eccdnx.com	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://login.steampowered.com/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steam.tv/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900t	file.exe, 00000000.00000002.2037155601.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Gu9gs5hf	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=M7aU	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://recaptcha.net	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://sketchfab.com	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://lv.queniujq.cn	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://127.0.0.1:27060	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/recaptcha/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://checkout.steampowered.com/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.steampowered.com/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001611000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037155601.0000000001614000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001611000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001613000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com:443/profiles/76561199724331900L	file.exe, 00000000.00000002.2037266220.0000000001639000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036361909.0000000001638000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036157566.0000000001637000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/;	file.exe, 00000000.00000003.2035968726.0000000001681000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2037266220.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036031727.0000000001644000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2036361909.0000000001644000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000000.00000003.2035968726.0000000001688000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.192.247.89	steamcommunity.com	United States		16625	AKAMAI-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531487
Start date and time:	2024-10-11 09:44:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@9/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:45:41	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.192.247.89	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	ASmartCore_[1MB]_[unsign].exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	Setup-Premium.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	carrier_ratecon.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
steamcommunity.com	l0T55kCdTI.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	23.199.218.33
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	l0T55kCdTI.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	23.199.218.33
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	6DroQ0jTFY.elf	Get hash	malicious	Mirai	Browse	95.101.248.58
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	cqdEWgq9fW.elf	Get hash	malicious	Mirai	Browse	95.101.248.12
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	View and Print Online.pdf	Get hash	malicious	Unknown	Browse	96.16.24.189
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	l0T55kCdTI.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	QKnj2Wb3yo.xlsx	Get hash	malicious	Hidden Macro 4.0	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.947234919214802
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'858'048 bytes
MD5:	e4c770f6fda588b14a87528fd955926c
SHA1:	7da417cf6be67062cc4a2a4dd78463733bc5f678
SHA256:	02b9b0b718e95eac3e42a21d89d42b8a9da1ddbb8da5ceecd0925555668aed6f
SHA512:	fcceb4567d97e777e9380bd728564fd8f6a46eb3f57f034a2c0f27c73ff9fef190b59f14b1f3113589de5dcbaca8def8a1f2ea10206d5797ff5bf3c613135689
SSDEEP:	49152:RWW2uxVcvWOHqHE9mhincH3Y6QusXfSH:cJ/IkdnjuAf
TLSH:	7F85339C8F038D67E5DD81780D2A6FBC5EE46301899A62760F2DA311C3FF5972AB0D19
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@..........................0J...........@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8a0000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FA828B4346Ah
pabsb mm0, qword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FA828B45465h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop ds
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	649c9ee2cfbfa0128f2c06a56db924ed	False	0.9994585396039604	data	7.97771484946437	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x2a2000	0x200	379cd323a3513af853dc330555c58c94	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
khlvkmgd	0x302000	0x19d000	0x19c200	204c98531aabf25c9eaeeb2ca5badfc0	False	0.9942170439035487	data	7.952694993737371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wdpcnvtj	0x49f000	0x1000	0x400	90786f62992ed1c2dbe68551a023d01c	False	0.7431640625	data	5.913733439439801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a0000	0x3000	0x2200	95f7975390cdcd002787c5fe1b86aba1	False	0.07778033088235294	DOS executable (COM)	0.9309442169998399	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-11T09:45:41.672062+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.5	49670	1.1.1.1	53	UDP
2024-10-11T09:45:41.685787+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.5	51271	1.1.1.1	53	UDP
2024-10-11T09:45:41.698111+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.5	50856	1.1.1.1	53	UDP
2024-10-11T09:45:41.709857+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.5	55049	1.1.1.1	53	UDP
2024-10-11T09:45:41.721394+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.5	58145	1.1.1.1	53	UDP
2024-10-11T09:45:41.732591+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.5	51119	1.1.1.1	53	UDP
2024-10-11T09:45:41.743515+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.5	56512	1.1.1.1	53	UDP
2024-10-11T09:45:41.753921+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.5	53723	1.1.1.1	53	UDP
2024-10-11T09:45:42.864527+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49704	23.192.247.89	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2024 09:45:41.778872967 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:41.778907061 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:41.779005051 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:41.780193090 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:41.780225039 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.414875984 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.414969921 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.418638945 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.418649912 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.418989897 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.465399981 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.507432938 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.864543915 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.864572048 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.864604950 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.864625931 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.864649057 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.864655972 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.864672899 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.864706993 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.864739895 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.944886923 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.944926023 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.944947958 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.944982052 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.944997072 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.945024014 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.945045948 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.946762085 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.946782112 CEST	443	49704	23.192.247.89	192.168.2.5
Oct 11, 2024 09:45:42.946791887 CEST	49704	443	192.168.2.5	23.192.247.89
Oct 11, 2024 09:45:42.946798086 CEST	443	49704	23.192.247.89	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2024 09:45:41.672061920 CEST	49670	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.682662964 CEST	53	49670	1.1.1.1	192.168.2.5
Oct 11, 2024 09:45:41.685786963 CEST	51271	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.696789026 CEST	53	51271	1.1.1.1	192.168.2.5
Oct 11, 2024 09:45:41.698111057 CEST	50856	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.707555056 CEST	53	50856	1.1.1.1	192.168.2.5
Oct 11, 2024 09:45:41.709856987 CEST	55049	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.719085932 CEST	53	55049	1.1.1.1	192.168.2.5
Oct 11, 2024 09:45:41.721394062 CEST	58145	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.730385065 CEST	53	58145	1.1.1.1	192.168.2.5
Oct 11, 2024 09:45:41.732590914 CEST	51119	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.741359949 CEST	53	51119	1.1.1.1	192.168.2.5
Oct 11, 2024 09:45:41.743515015 CEST	56512	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.751754045 CEST	53	56512	1.1.1.1	192.168.2.5
Oct 11, 2024 09:45:41.753921032 CEST	53723	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.762769938 CEST	53	53723	1.1.1.1	192.168.2.5
Oct 11, 2024 09:45:41.766859055 CEST	59386	53	192.168.2.5	1.1.1.1
Oct 11, 2024 09:45:41.773665905 CEST	53	59386	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 11, 2024 09:45:41.672061920 CEST	192.168.2.5	1.1.1.1	0xf897	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.685786963 CEST	192.168.2.5	1.1.1.1	0x3685	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.698111057 CEST	192.168.2.5	1.1.1.1	0x6f8b	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.709856987 CEST	192.168.2.5	1.1.1.1	0xfcc	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.721394062 CEST	192.168.2.5	1.1.1.1	0xd91c	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.732590914 CEST	192.168.2.5	1.1.1.1	0x614e	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.743515015 CEST	192.168.2.5	1.1.1.1	0x7faf	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.753921032 CEST	192.168.2.5	1.1.1.1	0x7a30	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.766859055 CEST	192.168.2.5	1.1.1.1	0x77ca	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 11, 2024 09:45:41.682662964 CEST	1.1.1.1	192.168.2.5	0xf897	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.696789026 CEST	1.1.1.1	192.168.2.5	0x3685	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.707555056 CEST	1.1.1.1	192.168.2.5	0x6f8b	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.719085932 CEST	1.1.1.1	192.168.2.5	0xfcc	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.730385065 CEST	1.1.1.1	192.168.2.5	0xd91c	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.741359949 CEST	1.1.1.1	192.168.2.5	0x614e	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.751754045 CEST	1.1.1.1	192.168.2.5	0x7faf	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.762769938 CEST	1.1.1.1	192.168.2.5	0x7a30	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 11, 2024 09:45:41.773665905 CEST	1.1.1.1	192.168.2.5	0x77ca	No error (0)	steamcommunity.com		23.192.247.89	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	23.192.247.89	443	7120	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-11 07:45:42 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-11 07:45:42 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 11 Oct 2024 07:45:42 GMT Content-Length: 25489 Connection: close Set-Cookie: sessionid=dfaa5f27339075f537a79bad; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-11 07:45:42 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-11 07:45:42 UTC	10062	IN	Data Raw: 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 62 75 6c 67 61 72 69 61 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 62 75 6c 67 61 72 69 61 6e 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 Data Ascii: <a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a><a class="popup_menu_item tight" href="?l=bulgarian" onclick="ChangeLanguage( 'bulgarian' ); return fa
2024-10-11 07:45:42 UTC	913	IN	Data Raw: 74 3d 22 5f 62 6c 61 6e 6b 22 20 72 65 6c 3d 22 20 6e 6f 6f 70 65 6e 65 72 22 3e 67 65 6f 6e 61 6d 65 73 2e 6f 72 67 3c 2f 61 3e 2e 09 09 09 09 09 3c 62 72 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 76 61 6c 76 65 5f 6c 69 6e 6b 73 22 3e 0d 0a 09 09 09 09 09 09 09 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 70 72 69 76 61 63 79 5f 61 67 72 65 65 6d 65 6e 74 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 26 6e 62 73 70 3b 20 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 Data Ascii: t="_blank" rel=" noopener">geonames.org</a>.<br><span class="valve_links"><a href="http://store.steampowered.com/privacy_agreement/" target="_blank">Privacy Policy</a>  \|  <a href="https://store.steampowered.c

Target ID:	0
Start time:	03:45:38
Start date:	11/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd40000
File size:	1'858'048 bytes
MD5 hash:	E4C770F6FDA588B14A87528FD955926C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	56.2%
Total number of Nodes:	48
Total number of Limit Nodes:	6

Executed Functions

Function 00D850FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(19A41BB1,00000000,00000800), ref: 00D85182

Strings

<I$), xrefs: 00D852E3
<I$), xrefs: 00D85198
@^, xrefs: 00D85120

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: <I$)$<I$)$@^
API String ID: 1029625771-935358343
Opcode ID: 15e9acc833419b3344dcbf5386123037b695c22b4ae8b96312deec1f3bd3b2d6
Instruction ID: 179eabbb467cfa40b7f471151386e24752f2a7a3c8551234aac8f3355cdc3a3e
Opcode Fuzzy Hash: 15e9acc833419b3344dcbf5386123037b695c22b4ae8b96312deec1f3bd3b2d6
Instruction Fuzzy Hash: 0E21AE35108384CFC300EF68E881B2EB7E4AB6A300F69482CE1C5D7352D776DA15CB66

Function 00D4FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 00D4FCBE
VY^_, xrefs: 00D4FDFF
J|BJ, xrefs: 00D5000D
V, xrefs: 00D4FEDC

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: J|BJ$V$VY^_$t
API String ID: 0-3701112211
Opcode ID: 936fb07462ad46b9b0d5606b5f953cccfd8069161cfec795642dd476dceb7776
Instruction ID: 36d6efeaf9bda7b962f94c67f5557670a462c4e1dac08cbbbdcfcf1c3addef12
Opcode Fuzzy Hash: 936fb07462ad46b9b0d5606b5f953cccfd8069161cfec795642dd476dceb7776
Instruction Fuzzy Hash: 19D158745083909BD711DF189490A2FBFE1AF96745F18882CF8C98B262D336CD49DBA3

Function 00D4D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00D4D2F1

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 628b2e3609257fa8173cea4120fb38726ba2f0351d3fadc2ac0b65f00702a64c
Instruction ID: 1a3c93da0f1dba910517b5d45a959da1c1b29908925646b397d2c1a529f33289
Opcode Fuzzy Hash: 628b2e3609257fa8173cea4120fb38726ba2f0351d3fadc2ac0b65f00702a64c
Instruction Fuzzy Hash: 8841227050D380ABC701AF68D585A2EFBE6EF92745F188C1CE9C897252C336D8148B7B

Function 00D85BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00D8973D,005C003F,00000006,?,?,00000018,8C8D8A8B,?,?), ref: 00D85BDE

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00D8695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00D869C5

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 77ecb44ed3bb7ed050c20c6429114207235a6872667046cb061d27e55102e450
Instruction ID: 74cd1e6655e8f169d263619ccb048fb482a324792059571b6ee180d4634649f6
Opcode Fuzzy Hash: 77ecb44ed3bb7ed050c20c6429114207235a6872667046cb061d27e55102e450
Instruction Fuzzy Hash: 8D3196B15183019FD718EF18D8A0B2AB7F2EF84344F18882DE5C6E72A1E335D904CB66

Function 00D5049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3416a40bd20ce184065dd243c9fa3a72be4700f408e8e3c4045f1d909f995c
Instruction ID: 617633e8115b6a98c13adad83f1c0ed3ce316c37203981b6ff6d93599656de89
Opcode Fuzzy Hash: 8f3416a40bd20ce184065dd243c9fa3a72be4700f408e8e3c4045f1d909f995c
Instruction Fuzzy Hash: 65918A75210B00DFD7248F25E890B26B7F6FF89315B118A6DE856CBBA2D731E815CB60

Function 00D50228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25b73722d5a502bb035983867f4cda643e33045d5e520de27dc1fd2ecd564be
Instruction ID: 0fb79fe60b29c92b7e15ea07466b8cf70e6911bdac382871fb8df908a22815d6
Opcode Fuzzy Hash: f25b73722d5a502bb035983867f4cda643e33045d5e520de27dc1fd2ecd564be
Instruction Fuzzy Hash: 03716775210701DFD7248F21EC94B26BBB6FF89315F148969E896CB762CB31E819CB60

Function 00D899D0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f7b70e936ce7e526e93502b5ae7ee3ac72c6dc92ad62f9a8b59d1acc2cdee3
Instruction ID: ed31724fbae4e9890c026c4f0871bed6c4692adfb6bb71b91bea85f2b8e85dda
Opcode Fuzzy Hash: 96f7b70e936ce7e526e93502b5ae7ee3ac72c6dc92ad62f9a8b59d1acc2cdee3
Instruction Fuzzy Hash: CE414A34208300ABDB15AB55E8A0B3BF7EAEB85714F5C882DF5CA97251D335E811CB72

Function 00D863B8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5789559dd96d9c007a253aa4d299e6a94c54665e5a5411d9fa4180039813045f
Instruction ID: b0305db7d697986c97586411e62a062768fdbb834471867c0c30ed6a04430291
Opcode Fuzzy Hash: 5789559dd96d9c007a253aa4d299e6a94c54665e5a5411d9fa4180039813045f
Instruction Fuzzy Hash: A931A570649301BADA24EB08DD82F3EB7A5EB91B61F68451CF1C1A72D5D370E8118B72

Function 00D83220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00D832A6

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 683a502f5b08310873e2498000fce99e0e28306a5837c89a7466a70e0c129255
Instruction ID: 771bf89994a1dd2574bcc833c40570f44c94725d9574bd3be934d87c0ae53239
Opcode Fuzzy Hash: 683a502f5b08310873e2498000fce99e0e28306a5837c89a7466a70e0c129255
Instruction Fuzzy Hash: E501693450D3409BC701EF58E889A1EBBE9EF4AB00F05891CE5C98B361D335ED60CBA6

Function 00D83202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00D83208

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 55e8db8d839b19d5e23509f21a15576859252bcc2c83c6b88823d790328f4fce
Instruction ID: 55e9d4f268d1c5c1cdbefca1ba2c7e13c8e1c7aff2e03353a08c540468e19eca
Opcode Fuzzy Hash: 55e8db8d839b19d5e23509f21a15576859252bcc2c83c6b88823d790328f4fce
Instruction Fuzzy Hash: 37B012300401005FDA041B00FC0AF003511EB00605F900050A101441B1D1615864C564

Non-executed Functions

Function 00D5DB6F Relevance: 32.0, Strings: 24, Instructions: 2006COMMON

Download Yara Rule

Strings

dcba, xrefs: 00D5E728
89&', xrefs: 00D5E93B
tuJK, xrefs: 00D5E967
()./, xrefs: 00D5E9CA
%*+(, xrefs: 00D5DE37, 00D5DE46
<=:;, xrefs: 00D5E930
:WUE, xrefs: 00D5F6B7, 00D5F6C6
tsrq, xrefs: 00D5E6FC
@ONM, xrefs: 00D5E6DB
`Y^_, xrefs: 00D5E99E
AR, xrefs: 00D5DD10
lkji, xrefs: 00D5E73E
T, xrefs: 00D5F157
DCBA, xrefs: 00D5E887, 00D5E896
<=2, xrefs: 00D5EA01
D, xrefs: 00D5E846
89>?, xrefs: 00D5E9F6
|, xrefs: 00D5ECB1
WP, xrefs: 00D5DCEF
`onm, xrefs: 00D5E733
QNOL, xrefs: 00D5E775
xgfe, xrefs: 00D5E71D
mjkh, xrefs: 00D5E7D8
LKJI, xrefs: 00D5E6E6

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($()./$89&'$89>?$:WUE$<=2$<=:;$@ONM$AR$D$DCBA$LKJI$QNOL$T$WP$`Y^_$`onm$dcba$lkji$mjkh$tsrq$tuJK$xgfe$|
API String ID: 2994545307-1418943773
Opcode ID: a31376137e40ffe55507e47d9618194f566f3b92abcff48589fa762c97271a51
Instruction ID: e237b7f0f28879eda38b67be15a4d7ef76996651ccd94569f43a2d672c016a18
Opcode Fuzzy Hash: a31376137e40ffe55507e47d9618194f566f3b92abcff48589fa762c97271a51
Instruction Fuzzy Hash: 56F27AB05093819BDB74DF14C484BABBBE6FFD5345F18482DE8C98B251E7319988CB62

Function 00D723E0 Relevance: 31.3, APIs: 4, Strings: 12, Instructions: 3298COMMON

Download Yara Rule

Strings

3<, xrefs: 00D732D6
aenQ, xrefs: 00D7276A
f@~!, xrefs: 00D725FF
`tii, xrefs: 00D72693
:, xrefs: 00D732DD
mlc@, xrefs: 00D7275C
%*+(, xrefs: 00D740EF
ggxz, xrefs: 00D72685
fedc, xrefs: 00D72782
{l`~, xrefs: 00D7268C
Cx, xrefs: 00D7453D
|}&C, xrefs: 00D72F21

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+($3<$:$Cx$`tii$aenQ$f@~!$fedc$ggxz$mlc@${l`~$|}&C
API String ID: 0-786070067
Opcode ID: 1e36448d0cc954c9c33de7a5bb06b195c4fb6b37468289eba2525c58c19e0597
Instruction ID: ad9dbbd7a7bc595eb4513c45a8ae18b86e85c61b1fd550ebd756f7e260b4fe6d
Opcode Fuzzy Hash: 1e36448d0cc954c9c33de7a5bb06b195c4fb6b37468289eba2525c58c19e0597
Instruction Fuzzy Hash: 3033AD70504B818FD7258F38C590B62BBE1FF16304F58899DE4DA8BB92D735E906CBA1

Function 00D69F62 Relevance: 21.7, Strings: 17, Instructions: 473COMMON

Download Yara Rule

Strings

(a*c, xrefs: 00D6A147
?m,o, xrefs: 00D6A13C
S], xrefs: 00D6A636
hi, xrefs: 00D6AB9D
kW, xrefs: 00D6A380
Gt, xrefs: 00D69FF8
CG, xrefs: 00D6AA32
sm, xrefs: 00D6A830
]{, xrefs: 00D6A1E7, 00D6A1F3
_Y, xrefs: 00D6A641
/), xrefs: 00D6A66D
WQ, xrefs: 00D6A62B
WH, xrefs: 00D6AA1C
=], xrefs: 00D6A36A
JG, xrefs: 00D6AA27
%e6g, xrefs: 00D6A152
N[, xrefs: 00D6A375

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %e6g$(a*c$=]$?m,o$CG$Gt$JG$N[$WH$]{$hi$kW$/)$S]$WQ$_Y$sm
API String ID: 0-1131134755
Opcode ID: 4cd5a9332f63e519076c1f6bcb6264828bb65a62b00a715d2ac7db845a626109
Instruction ID: 8de22082dd18b361909d4f7e1247876ed85a0803f606b53235fcaa998a6d4225
Opcode Fuzzy Hash: 4cd5a9332f63e519076c1f6bcb6264828bb65a62b00a715d2ac7db845a626109
Instruction Fuzzy Hash: 4E52B6B844D385CAE270CF25D581B8EBAF1BB92740F609A1DE1ED9B255DB708045CFA3

Function 00D69510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

L3Y=, xrefs: 00D69B03
B?Q9, xrefs: 00D69B0B
,A&C, xrefs: 00D6982E
pq, xrefs: 00D699E0
O+f), xrefs: 00D69634, 00D6963D
B7U1, xrefs: 00D69AFB
G+X5, xrefs: 00D69AF3
G'M!, xrefs: 00D69ADB
T#a-, xrefs: 00D69AE3
X/R), xrefs: 00D69AEB
8;, xrefs: 00D69B13
2A"_, xrefs: 00D69980
;IJK, xrefs: 00D6983E
?M0K, xrefs: 00D69968
z=Q?, xrefs: 00D69826
!E4G, xrefs: 00D69836

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: 6baff9faf11829bf45f435b636b2d79eecff0f3f805e0d293e3969852a633c49
Instruction ID: b8d14039799c0ad0ce9b1300148c14a594ae58ec84684a891ef1d13a4d90ccc0
Opcode Fuzzy Hash: 6baff9faf11829bf45f435b636b2d79eecff0f3f805e0d293e3969852a633c49
Instruction Fuzzy Hash: A6F13DB0508380ABD310DF55D891A2BBBF8FB86B48F144D1DF4D99B252D334DA08CBA6

Function 00F07BB0 Relevance: 15.4, Strings: 11, Instructions: 1647COMMON

Download Yara Rule

Strings

ZK8, xrefs: 00F07EB9
:, xrefs: 00F0821F
EYW~, xrefs: 00F085F5
AYW~, xrefs: 00F085FA
ZK8, xrefs: 00F07EA5
G2Sv, xrefs: 00F07EC3
V{y, xrefs: 00F088C4
sg+o, xrefs: 00F08566
[Z{, xrefs: 00F08005
i;77, xrefs: 00F081E1
lnws, xrefs: 00F08704

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: ZK8$ZK8$ :$AYW~$EYW~$G2Sv$V{y$[Z{$i;77$lnws$sg+o
API String ID: 0-2003417201
Opcode ID: e12d3e7cb0e50a4549c5d3ed887aeba6fbb38f3cc034d9a318070b129b0c8935
Instruction ID: 5791f742969fbd7ebb0a0a3af4ebafbb6117a35646d8b35e308dff603b06356b
Opcode Fuzzy Hash: e12d3e7cb0e50a4549c5d3ed887aeba6fbb38f3cc034d9a318070b129b0c8935
Instruction Fuzzy Hash: 48B239F3A082109FD3046F2DEC8567AFBE9EF94620F164A3DEAC4D3744EA3558458792

Function 00D6DD29 Relevance: 14.9, Strings: 11, Instructions: 1142COMMON

Download Yara Rule

Strings

=]+_, xrefs: 00D6E276
%*+(, xrefs: 00D6E143
-M2O, xrefs: 00D6E25A
hX]N, xrefs: 00D6DDC7
<Y.[, xrefs: 00D6E27D
{E, xrefs: 00D6E323
upH}, xrefs: 00D6DE8A, 00D6E798, 00D6DF4A
)IgK, xrefs: 00D6E261
,Q?S, xrefs: 00D6E26F
n\+H, xrefs: 00D6DDC0
Y9N;, xrefs: 00D6E245

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+($)IgK$,Q?S$-M2O$<Y.[$=]+_$Y9N;$hX]N$n\+H$upH}${E
API String ID: 0-1557708024
Opcode ID: a5fd55c4e8062d4694aaeaf660479fbb957166fe236070b9d3b858f6f5ac6846
Instruction ID: c450df538d094dcb011ee637041519f6c25a3e3087175d3d915a9d10825fa7e2
Opcode Fuzzy Hash: a5fd55c4e8062d4694aaeaf660479fbb957166fe236070b9d3b858f6f5ac6846
Instruction Fuzzy Hash: 2F92D575E00215CFDB14CFA8D8517AEBBB2FF49310F298269E456AB391D735AD01CBA0

Function 00F0E91D Relevance: 12.9, Strings: 9, Instructions: 1655COMMON

Download Yara Rule

Strings

~Hl], xrefs: 00F0EF11
zAs, xrefs: 00F0F689
FOw_, xrefs: 00F0E93E
/~', xrefs: 00F0FA8A
-^V, xrefs: 00F0FC24
AcQ~, xrefs: 00F0ED41
3~', xrefs: 00F0FA84
zT;F, xrefs: 00F0F9C4
&0{9, xrefs: 00F0EB35

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: &0{9$-^V$/~'$3~'$AcQ~$FOw_$zAs$zT;F$~Hl]
API String ID: 0-3247002390
Opcode ID: 9bd9fed426bb1f09c272e58b7a71b5da02dc5cec68caae43c2a2ad4ddd5922da
Instruction ID: 9451ba102ab12db6f8c00cea9c14a8739c7f9a5ebb27152e073a9a811b2498ef
Opcode Fuzzy Hash: 9bd9fed426bb1f09c272e58b7a71b5da02dc5cec68caae43c2a2ad4ddd5922da
Instruction Fuzzy Hash: 05B219F360C2009FE304AE2DEC8567ABBE9EFD4720F1A853DEAC4C3744E93558158696

Function 00D6098B Relevance: 10.8, Strings: 8, Instructions: 836COMMON

Download Yara Rule

Strings

qrqp, xrefs: 00D61089
,#15, xrefs: 00D60F94
9.5^, xrefs: 00D60F9F
%*+(, xrefs: 00D60A77, 00D60A86
{, xrefs: 00D61502
gce/, xrefs: 00D61073
&> &, xrefs: 00D60F89
cah`, xrefs: 00D6107E

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+($&> &$,#15$9.5^$cah`$gce/$qrqp${
API String ID: 0-4102007303
Opcode ID: 7d36ff1094446533fdce82df957368f2082a72df4e02dd718529d616def1d95e
Instruction ID: 791c4614dd169539b87374fcec4206b1f6c92070ea79ae0be1d8dcbb1be5d2a2
Opcode Fuzzy Hash: 7d36ff1094446533fdce82df957368f2082a72df4e02dd718529d616def1d95e
Instruction Fuzzy Hash: 7A6298B56083818FD730CF18D891BABBBE1FF96314F09492DE49A8B641E7759940CB63

Function 00D41000 Relevance: 10.5, Strings: 7, Instructions: 1785COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00D41587, 00D415F8
0123456789ABCDEFXP, xrefs: 00D4157D, 00D415EB
gfff, xrefs: 00D42297
gfff, xrefs: 00D42226
@, xrefs: 00D42C40
gfff, xrefs: 00D422E1
-, xrefs: 00D421ED

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$@$gfff$gfff$gfff
API String ID: 0-2517803157
Opcode ID: c1be9390684a30cb8cbbab0c675e02b1671aeca3209b8ede7654fe579961de9f
Instruction ID: 4093f2fb6ea5a36441f8f8697e6daa5984c11c32387860facf15649a29a3004f
Opcode Fuzzy Hash: c1be9390684a30cb8cbbab0c675e02b1671aeca3209b8ede7654fe579961de9f
Instruction Fuzzy Hash: A1D2E1716083518FD718CE28C89436ABBE2AFD9314F188A2DF4D9CB391D774D945CBA2

Function 00F0463D Relevance: 7.9, Strings: 5, Instructions: 1623COMMON

Download Yara Rule

Strings

nJ{o, xrefs: 00F05023
Uw|, xrefs: 00F051AA
z*m~, xrefs: 00F0510D
FrE_, xrefs: 00F050D1
j7Y, xrefs: 00F0559F

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: FrE_$Uw|$nJ{o$z*m~$j7Y
API String ID: 0-2396196880
Opcode ID: f210bb4775540ec917f7f2afec777618192ff7ac4aa922ab4afff194e3319885
Instruction ID: 156dc303b6dc7014fe97b9da2a9d9bf00580839b862678b4c99e34ad3f2fd56f
Opcode Fuzzy Hash: f210bb4775540ec917f7f2afec777618192ff7ac4aa922ab4afff194e3319885
Instruction Fuzzy Hash: C0B207F3A0C6049FE3046E2DEC8567ABBE9EF94720F1A853DEAC4C3744E63558058697

Function 00F06134 Relevance: 7.9, Strings: 5, Instructions: 1605COMMON

Download Yara Rule

Strings

>)o?, xrefs: 00F07146
_', xrefs: 00F0646E
KG, xrefs: 00F068DC
&nz2, xrefs: 00F06D45
Dsoo, xrefs: 00F06B9E

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: _'$&nz2$>)o?$Dsoo$KG
API String ID: 0-1747803725
Opcode ID: ac144fc0ba9e66f5786d9492d6eb9020bda490c742bb530c0910fad1e3689bbe
Instruction ID: f182510e6f11769eef7118405e650f8fd21a714f75baad22dd00b03d6843a4f0
Opcode Fuzzy Hash: ac144fc0ba9e66f5786d9492d6eb9020bda490c742bb530c0910fad1e3689bbe
Instruction Fuzzy Hash: BDB219F360C2049FE304AE2DEC8567ABBE5EF94720F16893DE6C5C3744EA3558058697

Function 00F0B29D Relevance: 7.9, Strings: 5, Instructions: 1601COMMON

Download Yara Rule

Strings

h3[, xrefs: 00F0C50C
$f-, xrefs: 00F0B706
nD}, xrefs: 00F0B3D1
DD}V, xrefs: 00F0C2E3
o2X}, xrefs: 00F0C1BD

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: $f-$DD}V$nD}$o2X}$h3[
API String ID: 0-3637808067
Opcode ID: 4dbdc4867d5ebcb8279206cfc5287e349c7d9cc4492bfb8c4f8e30d5ad9e9e83
Instruction ID: e438ea505224f73e47f5e355f860b67932230452e68da4eec6d4119f30ac31c7
Opcode Fuzzy Hash: 4dbdc4867d5ebcb8279206cfc5287e349c7d9cc4492bfb8c4f8e30d5ad9e9e83
Instruction Fuzzy Hash: 3EB208F360C2149FE304AE29EC8567AFBE9EF94720F16493DEAC4C7744EA3158058697

Function 00F02AC8 Relevance: 7.8, Strings: 5, Instructions: 1570COMMON

Download Yara Rule

Strings

gz\U, xrefs: 00F02D15
'XOO, xrefs: 00F03B2F
7]a, xrefs: 00F02B22
p?_, xrefs: 00F036FF
r4ko, xrefs: 00F034AF

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: 'XOO$7]a$gz\U$r4ko$p?_
API String ID: 0-871701172
Opcode ID: 5bbc6dab324f10ee2ca5aa838755b8aa6f27132b8d820b1b9bf13bb688f9ecc1
Instruction ID: ddb66d404e4a5c2acb57fde3553b7a1d171f87d75f7b611e6d0e02a26a47f4d8
Opcode Fuzzy Hash: 5bbc6dab324f10ee2ca5aa838755b8aa6f27132b8d820b1b9bf13bb688f9ecc1
Instruction Fuzzy Hash: 57B2F7F3A082049FE304AF2DDC8567ABBE5EF94720F1A893DE6C4C7744E63598418687

Function 00D412F7 Relevance: 7.2, Strings: 5, Instructions: 922COMMON

Download Yara Rule

Strings

0, xrefs: 00D41DC1
i, xrefs: 00D428EA
0, xrefs: 00D4243E
0, xrefs: 00D41E88
@, xrefs: 00D43531

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: 0$0$0$@$i
API String ID: 0-3124195287
Opcode ID: e07dd7544e641e85ef7faae550890e572a9406190a0660397c4f635d4074d2a9
Instruction ID: bb6a2a92ad46847ce824bf683b09957fde7400c8d77509ec201c4ec3b3c258fc
Opcode Fuzzy Hash: e07dd7544e641e85ef7faae550890e572a9406190a0660397c4f635d4074d2a9
Instruction Fuzzy Hash: 1D62DE71A0C3818BC319CF28C49476ABBE1AFD5344F588A2DF8D987391D774D949CBA2

Function 00D4164F Relevance: 6.7, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00D41659
0123456789ABCDEFXP, xrefs: 00D4164F
gfff, xrefs: 00D41F3C
+, xrefs: 00D41573
gfff, xrefs: 00D41F57

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: +$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-1123320326
Opcode ID: 1747499fb4ca6c3f7af9f67ce08b4e9e711764d46cb13e9f6ec3c173bcb74b1f
Instruction ID: 4002a041e6d28628661621d60c05b2c94d82b112f4a447d6739f753ef350fb41
Opcode Fuzzy Hash: 1747499fb4ca6c3f7af9f67ce08b4e9e711764d46cb13e9f6ec3c173bcb74b1f
Instruction Fuzzy Hash: 61F19E3560C3818FC719CE29C48426AFBE2AFD9304F588A6DF4D987356D734D949CBA2

Function 00D413A3 Relevance: 6.6, Strings: 5, Instructions: 390COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 00D413AD
0123456789ABCDEFXP, xrefs: 00D413A3
gfff, xrefs: 00D41F3C
-, xrefs: 00D41F23
gfff, xrefs: 00D41F57

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff
API String ID: 0-3620105454
Opcode ID: 9c83d24715a1aedaf08c19dd3ea6651b77a193e56f185e010178244bfa2aca1a
Instruction ID: ea8768f34861679ada2974812937877560a6b6a33d78c43e493100f6ea8cb989
Opcode Fuzzy Hash: 9c83d24715a1aedaf08c19dd3ea6651b77a193e56f185e010178244bfa2aca1a
Instruction Fuzzy Hash: 6AD18E3560C7818FC719CE29C48426AFFE2AFD9304F48CA6EE4D987356D634D949CB62

Function 00F10449 Relevance: 6.6, Strings: 4, Instructions: 1561COMMON

Download Yara Rule

Strings

Z[n, xrefs: 00F10DCD
ZU2Q, xrefs: 00F10739
v^4, xrefs: 00F1045E
2p~, xrefs: 00F113B8

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: 2p~$ZU2Q$Z[n$v^4
API String ID: 0-1175611204
Opcode ID: 3bcc5639742ab4c41c665f1d62848d5ccebd4a19b4e07edff6f7dba870a38a37
Instruction ID: 712b6dcf6d9c8b790e90545e14587ccc67141afd2cc84d5ff853065738a07c75
Opcode Fuzzy Hash: 3bcc5639742ab4c41c665f1d62848d5ccebd4a19b4e07edff6f7dba870a38a37
Instruction Fuzzy Hash: 19B21AF350C204AFE304AE29EC8567AFBE9EF94720F1A493DEAC5C7744E63598048657

Function 00D6FD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

NA_I, xrefs: 00D7036D
uvw, xrefs: 00D6FE95
m1s3, xrefs: 00D6FEC3, 00D6FECB
:, xrefs: 00D70087

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 188abf4e69aa6606bc1de0240defced12c893792ee5f02bd9c3b22af4b28b109
Instruction ID: 9b410e505cbe4ae127ab417b65c6fb5f4d41bc2b235bcd6780c4b61300aa8d7c
Opcode Fuzzy Hash: 188abf4e69aa6606bc1de0240defced12c893792ee5f02bd9c3b22af4b28b109
Instruction Fuzzy Hash: 6732ACB4508381DFD311DF28D880A2ABBE5EB8A354F18895DF5D58B392E335D905CB62

Function 00D53BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

ss, xrefs: 00D53C79
;z, xrefs: 00D53C87
p, xrefs: 00D53C80
%*+(, xrefs: 00D53EC4

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: e179da98fc706d97056c3b2664b3b2869796a2c742aca2fcd039212ab2b3a1b1
Instruction ID: 4651333258fe1ca932ed9cda9df2a47ae63e81897987137f5d0892e85f3713d9
Opcode Fuzzy Hash: e179da98fc706d97056c3b2664b3b2869796a2c742aca2fcd039212ab2b3a1b1
Instruction Fuzzy Hash: 87024BB4810B009FDB60DF28D986756BFF5FB01301F50895DEC9A9B695E330A419CFA2

Function 00D62260 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

hu, xrefs: 00D6232F
sj, xrefs: 00D62327
lc, xrefs: 00D62507
a|, xrefs: 00D62317

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: a|$hu$lc$sj
API String ID: 0-3748788050
Opcode ID: 9dea5ab31a2bd3c9554107495945679b86b2e79f74c952c899daaa24bf09dbd1
Instruction ID: 7b6f071101db944b2f1a5abdf3737bf0ee8a1118d73b764bda8f0a659f47d984
Opcode Fuzzy Hash: 9dea5ab31a2bd3c9554107495945679b86b2e79f74c952c899daaa24bf09dbd1
Instruction Fuzzy Hash: DEA18C704087418BC720DF18C891A2BB7F0FFA6754F589A0CE8D59B291E739E945CBA6

Function 00D6D7AF Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

T>, xrefs: 00D6D984
#', xrefs: 00D6D9EA
KV, xrefs: 00D6D97D
CV, xrefs: 00D6D98B

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: #'$CV$KV$T>
API String ID: 0-95592268
Opcode ID: c382c70246b0d74dff4204c51fa0a44b4a8d1c3fd23a22364436139e5d6459bf
Instruction ID: 387edb1c3c7ba5b5d65da28a125aa87f18de3065f72b546d02c909a5ef15f033
Opcode Fuzzy Hash: c382c70246b0d74dff4204c51fa0a44b4a8d1c3fd23a22364436139e5d6459bf
Instruction Fuzzy Hash: 758155B48017459BCB20DFA6D28516EBFB1FF16300F60460CE486ABA55D330AA55CFE2

Function 00D6AC91 Relevance: 5.1, Strings: 4, Instructions: 128COMMON

Download Yara Rule

Strings

,{*y, xrefs: 00D6AD07, 00D6AD13
4c2a, xrefs: 00D6ACA9
(g6e, xrefs: 00D6ACA1
lk, xrefs: 00D6ACBC

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: (g6e$,{*y$4c2a$lk
API String ID: 0-1327526056
Opcode ID: 8529c51332d7c6270f239a55834d4d4b0b520b5229473ff11c303920534d4084
Instruction ID: 9a4734bbc1786f841b8fd3c9e3028056cf7576ca3c3e50a32022d097918683f9
Opcode Fuzzy Hash: 8529c51332d7c6270f239a55834d4d4b0b520b5229473ff11c303920534d4084
Instruction Fuzzy Hash: D24164B44083828BD7209F24D900BABB7F4FF86345F54595EE5C8A7260EB36D944CFA6

Function 00EFF9CC Relevance: 4.9, Strings: 3, Instructions: 1185COMMON

Download Yara Rule

Strings

e8_?, xrefs: 00F002E5
`8{w, xrefs: 00EFFD9C
8d}, xrefs: 00F006E1

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: 8d}$`8{w$e8_?
API String ID: 0-2372778658
Opcode ID: cbf295e7b23bfec569b76bb44135ab92f0ef0c8a1eecc237c2fbebc3464d1f73
Instruction ID: e798955e7696b4ee8e06ec0ba488942bb46d5586fdd348cdcb1df22530824f69
Opcode Fuzzy Hash: cbf295e7b23bfec569b76bb44135ab92f0ef0c8a1eecc237c2fbebc3464d1f73
Instruction Fuzzy Hash: 0A8226F3A0C2049FE3046F29EC8567AFBE9EF94720F1A493DE6C483744EA3558458697

Function 00D6C470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D6C9E4, 00D6C9ED
~/i!, xrefs: 00D6C537
%*+(, xrefs: 00D6C8C3, 00D6C8CB

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: d525dcbe0fb6fbad886e038baee7ba85880a7545f60628a5e74e7a682ba6b67a
Instruction ID: 1ea59ca9f880737f282beaf0e9e3bf52dfbf1b37ad2c206016cbb9ea0a8ef7ac
Opcode Fuzzy Hash: d525dcbe0fb6fbad886e038baee7ba85880a7545f60628a5e74e7a682ba6b67a
Instruction Fuzzy Hash: B6E186B5918381DFE3209F68D881B2ABBE5FB85344F48892DE6C987251D731D814CBA2

Function 00D48590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

IEND, xrefs: 00D489F0
), xrefs: 00D4860C
), xrefs: 00D48616

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 0ab1663f3e891f78f393c929dbdfffac2987cc2e28f7940a111b047d43e68618
Instruction ID: 7477cdcfab553ce536efdf83d84443e298e6dbc480750e07d55cb26777789166
Opcode Fuzzy Hash: 0ab1663f3e891f78f393c929dbdfffac2987cc2e28f7940a111b047d43e68618
Instruction Fuzzy Hash: 52E1DFB1A087029FE310DF28C88172EBBE0FB94354F144A2DE99597391DB75E914CBE2

Function 00D84040 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D840A4, 00D840AD
f, xrefs: 00D8420C

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+($f
API String ID: 0-2038831151
Opcode ID: ebf59b1c855638c28d73690249cbee0e880f305aed2b29ebe35254c08e466ebd
Instruction ID: da98f16456673d6d1fae2f51a17a0d4b501642ee5ccc1fe1eb0e4f81d5444431
Opcode Fuzzy Hash: ebf59b1c855638c28d73690249cbee0e880f305aed2b29ebe35254c08e466ebd
Instruction Fuzzy Hash: 5C12BD715083429FC715EF18D880B2EBBE2FB89314F188A2DF4949B391D735E905CBA2

Function 00D7F620 Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

dg, xrefs: 00D7F7F5
hi, xrefs: 00D7F6E6

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: dg$hi
API String ID: 0-2859417413
Opcode ID: a63d8d1b91e0bcb330d7f90e8647d0449605e8e3e8270b976f32fa4b7d090d80
Instruction ID: 4e760373745c8cdf56bffc10e27403b9576a4b889ee13056be409635a35b6730
Opcode Fuzzy Hash: a63d8d1b91e0bcb330d7f90e8647d0449605e8e3e8270b976f32fa4b7d090d80
Instruction Fuzzy Hash: 00F18272618341EFE314CF25C891B6EBBE6EF86344F14892DF1998B2A1D734D944CB62

Function 00D435B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

Inf, xrefs: 00D43607
NaN, xrefs: 00D4360E

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: 40b7dd7f952e0235078bd0a28202c49f48fa07982eb9704d7dc517a889b5849a
Instruction ID: e5a10736c9cc5923d7c35b138b33ad75583f348af5cfbd0dffd1cbe9fce95e65
Opcode Fuzzy Hash: 40b7dd7f952e0235078bd0a28202c49f48fa07982eb9704d7dc517a889b5849a
Instruction Fuzzy Hash: F2D1D371A183119BC708CF2CC88161EBBE1EBC8750F258A2DF9D9973A0E771DD058B92

Function 00E2981F Relevance: 2.7, Strings: 2, Instructions: 206COMMON

Download Yara Rule

Strings

l^;_, xrefs: 00E29984
<qT', xrefs: 00E299FA

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: <qT'$l^;_
API String ID: 0-1731211220
Opcode ID: 387fa9067de4b60c586225a6b6c39bb4e236c47f2836e6e375f30b7574b294fe
Instruction ID: 0d1b9420008cf242434177e1b2c5de20b9ad42a7519d74b183c70c019ac52c3a
Opcode Fuzzy Hash: 387fa9067de4b60c586225a6b6c39bb4e236c47f2836e6e375f30b7574b294fe
Instruction Fuzzy Hash: 1E5159B36087145BE308AE2DDC857BBF7DADBC4320F15C63DEAC487B88E93954058292

Function 00D5FFDF Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

BaBc, xrefs: 00D60197
Ye[g, xrefs: 00D600F6

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: BaBc$Ye[g
API String ID: 0-286865133
Opcode ID: effa7900f81af6f618f73a3ad50e8e47d3a8aab92a716f3066f020cb70f0cca0
Instruction ID: 1f937d228507e1e0c9f64df25b94bd656a6f3ecfa8b9c9ddbee61d5d3df55bb6
Opcode Fuzzy Hash: effa7900f81af6f618f73a3ad50e8e47d3a8aab92a716f3066f020cb70f0cca0
Instruction Fuzzy Hash: 9D51ACB16083818BD731CF18C881BABBBE0FF96350F19491DE4DA8B691E3749944CB67

Function 00D45160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00D454C8

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 9e81a88cde8ba3d831f2067973df2f36dc36be72787557daf6a59488e674460f
Instruction ID: 6b6ea19519b4f878682433a0b156134e7526e335f2ae520c7c9c00487923ad1c
Opcode Fuzzy Hash: 9e81a88cde8ba3d831f2067973df2f36dc36be72787557daf6a59488e674460f
Instruction Fuzzy Hash: 5A22E4B6A08B42CBE7158F18E84032ABBE2AFE1314F1D856DD8994B34BE771DC45C761

Function 00D712D0 Relevance: 1.7, Strings: 1, Instructions: 484COMMON

Download Yara Rule

Strings

", xrefs: 00D715D1

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction ID: 6d3547bbadde5da2d5414ef2a19b479f0cdcb0b15b0f42b0678b4120d9eef1a1
Opcode Fuzzy Hash: 1e36e4a90a5bcd9904d9a2755a98640d2f51fe7f53356f7c076c40d918f289ea
Instruction Fuzzy Hash: 91F11679A083515BC728CE2CC49162BBBE5AFC5354F1CCA6DE89D87382E634DD0587B2

Function 00D6AE57 Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D6B2D3, 00D6B2DB

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 88a1c13ef1aa695f5503dd6c95c98ecd3ccf92bb55847dfc7f1a7478ff2ad700
Instruction ID: 3fb296183c241c957dd1ea19f59c7cb1a6287420139555eb21baffadd6d740d7
Opcode Fuzzy Hash: 88a1c13ef1aa695f5503dd6c95c98ecd3ccf92bb55847dfc7f1a7478ff2ad700
Instruction Fuzzy Hash: F7E1CA75508306CBC714DF28C89056EB7E2FF99791F58891DE4C587320E331E999CBA2

Function 00D56EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D56EF3

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: e13361f8e6634aee64196d06d90c71ded2e561db2caf0a32da7c67789f67cb5c
Instruction ID: f5de77bad5484560ee9d1f465c456fb1917677a0514c6e6f7f9c03b57a8d43eb
Opcode Fuzzy Hash: e13361f8e6634aee64196d06d90c71ded2e561db2caf0a32da7c67789f67cb5c
Instruction Fuzzy Hash: 6FF19FB5A107018FCB24DF28D881A26B3F6FF48315B54892DE89787791EB31F919CB61

Function 00D67E60 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D68263, 00D6826B

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 3728d69840f20658d6eae5a0c4ebca5d1423b8181e61693a7e1e70da0bb35b83
Instruction ID: faa48b2b4174b700d525a64ef94a818fc0c1f296bab1b84f1735cfa498e3973f
Opcode Fuzzy Hash: 3728d69840f20658d6eae5a0c4ebca5d1423b8181e61693a7e1e70da0bb35b83
Instruction Fuzzy Hash: B7C1BFB1508300ABD710EF14C892A2BB7F5EF96754F088918F8C597251E735ED15EBB2

Function 00F11023 Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

2p~, xrefs: 00F113B8

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: 2p~
API String ID: 0-2808775495
Opcode ID: 315144d7850b7f85eaa8e69d39575af9624488ea8d8d71ef8b0497c2bbce8093
Instruction ID: e590ef00484a1c36585139413ed3905afc9bf70acaac9a09956b3aae62149a19
Opcode Fuzzy Hash: 315144d7850b7f85eaa8e69d39575af9624488ea8d8d71ef8b0497c2bbce8093
Instruction Fuzzy Hash: 89D1F5F360C204AFE704AE2DECC566ABBE9EF54320F15493DEAC5C3340E63598558653

Function 00D68D62 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D69233, 00D6923B

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: cf29bde1ee1b6875675a0789163524f4180497992f0b0890e537da2043a272be
Instruction ID: cbcc71ac9cc55861afa9f548cded7b100f27c4d3d98f45cbe08828f5f026713d
Opcode Fuzzy Hash: cf29bde1ee1b6875675a0789163524f4180497992f0b0890e537da2043a272be
Instruction Fuzzy Hash: 4CD1BC71618302DFD704DF68E890A2ABBE9FF89314F49486DE886C7391D735E950CB61

Function 00D87FC0 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

P, xrefs: 00D88167

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: a5b390ceb50dca0ed8731f588900b4eef188cf1da2c91e8acfb7e0b5c609696f
Instruction ID: e1ba211a61759b6cb0ce963f79384f4830aab9fd9fba9d33a5c6d4fc6ccf5161
Opcode Fuzzy Hash: a5b390ceb50dca0ed8731f588900b4eef188cf1da2c91e8acfb7e0b5c609696f
Instruction Fuzzy Hash: 67D1F4729083618FC725DE18D89072EB7E2EB85718F59862CE8A5AB3C0CB71DC05D7E1

Function 00D6CCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D6CDC3, 00D6CDCB

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 4cbb32ac1b10b8308f354506a362d0d44431c6ab20f4fe1c850cbb08195e3314
Instruction ID: 36e20171393a01be560b65ef8b5aadb0649476b12b73f892d1e126e5b6dfe287
Opcode Fuzzy Hash: 4cbb32ac1b10b8308f354506a362d0d44431c6ab20f4fe1c850cbb08195e3314
Instruction Fuzzy Hash: 2DB1EC70A193419BD714DF58E880A3BBBF2EF95340F18592CE5C58B252E336E855CBB2

Function 00D4A850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00D4A9C3

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction ID: 8d56e74e466d4c4465fcd97587645e62699c8678fad2772db2c42ad0dda07117
Opcode Fuzzy Hash: 6a3fef2072c4110c7e08f213014c8aa891b97c95317c3c670d38149bab24221c
Instruction Fuzzy Hash: 86B118711083819FD325CF18C88061BBBE1AFA9704F488A2DF5D997782D671EA18CB67

Function 00D7FC20 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D7FCA4, 00D7FCAD

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5b3424b8f74b1cbfd333376f3d5020896fe29c7daa50bf5b755222e2c75277af
Instruction ID: 683f08ba87c7a192a11598b175669ec99f80de2c6d8e7d6edd46be110fce7ec0
Opcode Fuzzy Hash: 5b3424b8f74b1cbfd333376f3d5020896fe29c7daa50bf5b755222e2c75277af
Instruction Fuzzy Hash: B381BC71218300EBD725EF69E885B2AB7E5FB99701F04882DF5C897251E730D914CB72

Function 00D5D457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D5D663, 00D5D66B

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 2a477d11bb12fb210c3a671cf56f0251b9166ebc61467e831b64b50ee421ee08
Instruction ID: 9a8e64612a9c7d604c883519b08bac8050549fb96bb12eb0c96c3b75324f29d7
Opcode Fuzzy Hash: 2a477d11bb12fb210c3a671cf56f0251b9166ebc61467e831b64b50ee421ee08
Instruction Fuzzy Hash: 9461C172909304DBDB20EF58E842A2AB3B1FF95355F080929FD859B361E731D915C7B2

Function 00D84A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D84C33, 00D84C3B

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 2fe05c5acca158f43e87481fc6364b70c8ddebbdedb97f3c104c9d0a09d717c6
Instruction ID: 6cfa2323afdb0c3923687b531041b2a448a6c3614395146e0bca48e797d22379
Opcode Fuzzy Hash: 2fe05c5acca158f43e87481fc6364b70c8ddebbdedb97f3c104c9d0a09d717c6
Instruction Fuzzy Hash: 0561E1716093429FD715EF69D880B2AB7EAEBC4314F18892DE5C98B295D731EC40CB72

Function 00D4E1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00D4E333

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: 9b1f5c1e098d722096efd4e4eaa4ae204505abc8ef6f26727ce8523f91a425a7
Instruction ID: 5cfb658576fba2dfede0d7d7d4f43b67e2efb11ede4d3e9cfc7150524ec93d64
Opcode Fuzzy Hash: 9b1f5c1e098d722096efd4e4eaa4ae204505abc8ef6f26727ce8523f91a425a7
Instruction Fuzzy Hash: D8513633A696909BD329897C5C553A97BC72BA2334B3DC76AE9F1CB3E4D5558C0083B0

Function 00D83920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D839E3, 00D839EB

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 7fba9240d287c5f2c98cde9487b6b03bd6178296933fb0bf88f0e8916ad72564
Instruction ID: d43df89977bc8820de356936bad96c44cd6d0b8dcb23161fbf570b78890982b3
Opcode Fuzzy Hash: 7fba9240d287c5f2c98cde9487b6b03bd6178296933fb0bf88f0e8916ad72564
Instruction Fuzzy Hash: C2519174609340ABCB29FF59D880A2AB7E5FF85B44F18882CE4CA97251D771DE10CB72

Function 00D51BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00D51C3E

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: bf93b10fb85b2e7a119351d41c9673d57e0b3b2f2325443368ee7e4e0b117470
Instruction ID: f8f8aa42b65b28266c191124cbab316577e8cbbf170c5a1d222fae4089ba5698
Opcode Fuzzy Hash: bf93b10fb85b2e7a119351d41c9673d57e0b3b2f2325443368ee7e4e0b117470
Instruction Fuzzy Hash: 514144B80083809BCB149F64D894A2BBBF0FF86315F08891DF9C59B291D736C919CB66

Function 00D7FF70 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D80033, 00D8003B

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 5727888426713749c5389a51f3cc35442bcdf42692648fb1e847755d23f6cee3
Instruction ID: 2c615d46e35679ab7b2ea411abe721f6b33d0ac3ab27501d63d9ac6a0d053eea
Opcode Fuzzy Hash: 5727888426713749c5389a51f3cc35442bcdf42692648fb1e847755d23f6cee3
Instruction Fuzzy Hash: BA31C3B1908305ABD650FA54DC81B3BBBE9EF85744F584829F885D7252E232DC18C7B3

Function 00D6E40C Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

72?1, xrefs: 00D6E6A2

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: 4adea2a5e5a067d15ae1b23eaef22fb4ca20035da33bc71506ba5b028aaa9d82
Instruction ID: c7385d41da724bddd0fbef26ef9dc5a25c2eee38b1ceb659df5c7b8daa7ec452
Opcode Fuzzy Hash: 4adea2a5e5a067d15ae1b23eaef22fb4ca20035da33bc71506ba5b028aaa9d82
Instruction Fuzzy Hash: 9331E4B9A01305DFDB20CF94E8805AFB7B5FB1A304F180829E446A7301D331A904CFB2

Function 00D56F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00D5703B

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f7ba6773b4347b234778b8c934a0c364b212a3aff45dc53a08928de7194f115c
Instruction ID: 7730af577f79edf98d362eb552e0c5b01667035e35c7a86cfbdbca40eb92ba51
Opcode Fuzzy Hash: f7ba6773b4347b234778b8c934a0c364b212a3aff45dc53a08928de7194f115c
Instruction Fuzzy Hash: B2415B71614B04DBDB358F65E994B27B7F2FB09702F288818ED86976A5E331F8048B30

Function 00D6E66A Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

72?1, xrefs: 00D6E6A2

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: 72?1
API String ID: 0-1649870076
Opcode ID: f42ab8a114626a021e849094e5f51b55ae69a16c99ad4b301657edff38e995b6
Instruction ID: 51c5cf3625ff3a7c9ad738833e34dc4683944fff5550c0593e769fa33b0e0716
Opcode Fuzzy Hash: f42ab8a114626a021e849094e5f51b55ae69a16c99ad4b301657edff38e995b6
Instruction Fuzzy Hash: 4E219CB9A01305DFCB20CF95D98096FBBB5FB1A744F180819E486AB341D335A905CBB2

Function 00D89CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00D89D30

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: a9bc91ada0830b8191279b8f8592353bc13147be2b1a7b55de6448726dcc84da
Instruction ID: bc831a989aa0ba8f8750adfd5f3217590d0a48cd0a6de70ca87ae0e88bb521f5
Opcode Fuzzy Hash: a9bc91ada0830b8191279b8f8592353bc13147be2b1a7b55de6448726dcc84da
Instruction Fuzzy Hash: 7D3176709093009BD310EF18D890A2BFBF9EF9A314F18892DE5C997251D335D904CBAA

Function 00D54E2A Relevance: 1.0, Instructions: 957COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f2d7a54fa72c0b473929fe40cf4f4c7d8d6081c0bd9e382f6e33f3353cc7bc
Instruction ID: abf73d600b9c70d938b6480de20526a76b7c542ccbb90eb7f4511dc66c5e44f1
Opcode Fuzzy Hash: 67f2d7a54fa72c0b473929fe40cf4f4c7d8d6081c0bd9e382f6e33f3353cc7bc
Instruction Fuzzy Hash: 8E626A70510B408FDB26CF28D890B27B7F5EF56705F58896CD89A87A56E730F848CBA1

Function 00D4BEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction ID: 4be6890301233a82b74195991142f3048eb8080c7413bf5be51e8cd431ffc960
Opcode Fuzzy Hash: 30cb9a533554be97e06675d3460cdff0be9d55b2c6c1132c24f0b6137cc6b4a7
Instruction Fuzzy Hash: 5C524B3161A7118BC765DF1CD4802BAF3E1FFC4319F299A2DC9C693290E734A851CBA6

Function 00D88652 Relevance: .7, Instructions: 710COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d9510cdd97de0283f4e7862f21b2a4f65f2b70ec24bed3cd7134c25f1b48b2
Instruction ID: 4be2b63cbd13861bf818b766156df7e121081a3156b28033957906f0059a91fd
Opcode Fuzzy Hash: a3d9510cdd97de0283f4e7862f21b2a4f65f2b70ec24bed3cd7134c25f1b48b2
Instruction Fuzzy Hash: CA22BB35608340DFC704EF68E890A2AB7E1FF89319F49896EE589C7362D735D851CB62

Function 00D886F0 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17bd7e18c04163c87b6d4249746d500888d3040039865cb097cd54b22e8a6aa
Instruction ID: a909a33a5f0063a4ca77a1734bbf952e9eca374ffdd6f2a9cc6e43c6334afedf
Opcode Fuzzy Hash: d17bd7e18c04163c87b6d4249746d500888d3040039865cb097cd54b22e8a6aa
Instruction Fuzzy Hash: E3229B35608340DFC704EF68E890A2AB7E1FB89315F49896EE5C5C7362D735D851CB62

Function 00D4B3A0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93026b0243647174d14ab5c00f401ba43290075915fd5d3afd07590c2a68dfe
Instruction ID: 70a4640429ca0b23e12aa9e3b1b35b40156fba766b400774c71220be3507bf3d
Opcode Fuzzy Hash: d93026b0243647174d14ab5c00f401ba43290075915fd5d3afd07590c2a68dfe
Instruction Fuzzy Hash: DF529570908B848FE735CB34C4847A7BBE1EFA1324F184D6ED5D606A82C779E985CB61

Function 00D471F0 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d89014f903036af60ef2edd36933dc4b94c2ca7411d9825dc84223090e8f047
Instruction ID: be391079d489613857afb404b00b05426540850f4e35cf0b4cf7be2bc3116cc0
Opcode Fuzzy Hash: 5d89014f903036af60ef2edd36933dc4b94c2ca7411d9825dc84223090e8f047
Instruction Fuzzy Hash: A752A03150C3458FCB15CF28C0906AABBE1FF88318F198A6DE8D95B352D775E949CBA1

Function 00D48FD0 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb43e715f16c90a7713da7d9e75a5a8aa508f67465a715613e019fabecbf239
Instruction ID: 38649d0e6c218f510ace3b08ef7c5f18c2c9555c8e1ce8a4bd969dbd4bdc36d6
Opcode Fuzzy Hash: 5eb43e715f16c90a7713da7d9e75a5a8aa508f67465a715613e019fabecbf239
Instruction Fuzzy Hash: 89426475618301DFD708CF29D86076ABBE1BF88315F09886CE4898B3A1D775D985CFA2

Function 00D47BF0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a03ad1759eebff0d1bff425424bf46bbb5070a02dfbda15d1ebd95efc0ffcc
Instruction ID: 71a62c5c62f37d26c15eb964a51b496cacdbe98e9e6047d85539edd8b5379c9b
Opcode Fuzzy Hash: 70a03ad1759eebff0d1bff425424bf46bbb5070a02dfbda15d1ebd95efc0ffcc
Instruction Fuzzy Hash: D8323170A18B118FC368CF29C59052ABBF2BF45750B644A2ED6A787F90D736F845DB20

Function 00D889A0 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b08a1105836f42d3432edd51939822e0439ee3f50773c20ae3060aac1e39a3
Instruction ID: 8fa6326dc108260313074ae6f5e71d8e3a6c70c0d70b692d0fcace14493ce999
Opcode Fuzzy Hash: 83b08a1105836f42d3432edd51939822e0439ee3f50773c20ae3060aac1e39a3
Instruction Fuzzy Hash: E0028A34608340DFC704EF68E890A2AFBE1EB89315F49896EE5C5C7362D335D811CB66

Function 00D88A80 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056b4f48564e4ef46b5d254a7d968bc69018e4ef3504a143567edf9eab1397fd
Instruction ID: e7fcb0ff3145d105f5fcdb0ce638f0f3ca95c9782d36db2b736f6e5071018c01
Opcode Fuzzy Hash: 056b4f48564e4ef46b5d254a7d968bc69018e4ef3504a143567edf9eab1397fd
Instruction Fuzzy Hash: 1AF17935608340DFC704EF68D890A2AFBE1EB8A315F49896EE4C5C7352D736D911CBA6

Function 00D88C02 Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916cdc5799bf0c00d79006777e1ee60e7fb1bd3c5e2e75c63cf3f331ca5ccb6d
Instruction ID: 28021ce31d7fd86c97d07e95dff4b48b78bec994a4571afdaee4f1dd9a5651b1
Opcode Fuzzy Hash: 916cdc5799bf0c00d79006777e1ee60e7fb1bd3c5e2e75c63cf3f331ca5ccb6d
Instruction Fuzzy Hash: 14E18C31608340DFC704EF68D890A2AF7E1BB8A315F49896DE5D5C7362D736E911CBA2

Function 00D4A300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction ID: a69fdcc744b9fab6102997b594af9f3549f732470e53611043490bf69c22694c
Opcode Fuzzy Hash: 8dbf8a9190905fd82ba4d34b3568b61c3c587483ba5650872ac470c2db95d517
Instruction Fuzzy Hash: C0F1AD766487418FD724CF29C88166BFBE6EFD8300F08882DE4D987751E639E945CB62

Function 00D88E70 Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c855379938c8f2dd0eaea1694f66653f129299c99ca4c73e24c9ddb7d0623db8
Instruction ID: 789106c664b4862c12207c98ab2c2f2d2af87a7f8527768122613995cac723f4
Opcode Fuzzy Hash: c855379938c8f2dd0eaea1694f66653f129299c99ca4c73e24c9ddb7d0623db8
Instruction Fuzzy Hash: 9BD1893460C380DFD705EF28D890A2AFBE5EB8A705F49896DE4C587352D736D811CBA6

Function 00D54487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff37ae1933227ccbcae5d20101808c6dfabd96e2c42612d2f3ac706b1f828b5f
Instruction ID: adbe3b456f08d82c3dcee58a28d1eb7d4e65ae6c0ab3b28254d31d468a4becd1
Opcode Fuzzy Hash: ff37ae1933227ccbcae5d20101808c6dfabd96e2c42612d2f3ac706b1f828b5f
Instruction Fuzzy Hash: 78E10EB5511B008FD7218F28D992B97BBE1FF06709F04886CE8AAC7752E731B8548B65

Function 00D86CBF Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c496d94203535ba3a6451d05dc53f954eb855897b241a28373a0d29e96b664b
Instruction ID: 8de37b5d2574fb79f42fc4e7cb1ec382a8cdfaccf87b038f9d6ed301bbf9d3f5
Opcode Fuzzy Hash: 0c496d94203535ba3a6451d05dc53f954eb855897b241a28373a0d29e96b664b
Instruction Fuzzy Hash: 25D1EF36618751CFC715CF78E88052AB7E2AF89314F098A7EE895D73A5D330DA44CBA1

Function 00D87AB0 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc122848bcd856f7f0d940d7ab485bbb30776d8fb75da4efa16f3ccee9ae04a
Instruction ID: 3f78a647dd7bce16c9206f66bbe320cd603df6e3f31ff5f60a10cf5005ba2e65
Opcode Fuzzy Hash: 2fc122848bcd856f7f0d940d7ab485bbb30776d8fb75da4efa16f3ccee9ae04a
Instruction Fuzzy Hash: 3EB1F5B2A083504BE314EA28CC41B6FB7EAEBC5314F18496DF99997391E735DC0487B2

Function 00D4AF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction ID: 8e32208d9324255942244e0c8df9bbd011f9f648e9db356de50c07b8a05c0996
Opcode Fuzzy Hash: 9c6117061885288c1b39a5b943f8482e52345fd8b1a48c2f17ef7dcb0cf10c7c
Instruction Fuzzy Hash: 8FC16AB2A087418FC360CF68DC96BABB7E1FF85318F08492DD1D9C6242E778A155CB56

Function 00D56536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffa02ff1604f43d2ddceadc78f6a4ba1055b81a578a4f0006ffa0fb08e52ae7
Instruction ID: a1b59bb6192b5daa7a17e86e51d125e23b18ebcdc3781b2063e975b892bccf3c
Opcode Fuzzy Hash: cffa02ff1604f43d2ddceadc78f6a4ba1055b81a578a4f0006ffa0fb08e52ae7
Instruction Fuzzy Hash: 26B1F1B4500B408FD7218F28C981B27BBF1EF46705F54885CE8AA8BB52E775F809CB65

Function 00D87710 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59fa607da036a24927eb6e4b20c1420ab565eea7a4dc16dc783953659fdef90b
Instruction ID: 32855d6f4c4ee7e72f5c77ec94d3b1277e41086bcc09deb3156ceb78cd9ccf36
Opcode Fuzzy Hash: 59fa607da036a24927eb6e4b20c1420ab565eea7a4dc16dc783953659fdef90b
Instruction Fuzzy Hash: C0916C71608301ABE724EB55DC80BAFBBE5EB85354F68482CF59897351E730E940CBB2

Function 00D8A0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c276feac09bc0eeae2ba6130efb0b26f87d1cf3f26d80bf852b73ac99dcc4abb
Instruction ID: 8569090cd02cd3111d48c324db4603fea68ed315a38701678790dd1c485f0c35
Opcode Fuzzy Hash: c276feac09bc0eeae2ba6130efb0b26f87d1cf3f26d80bf852b73ac99dcc4abb
Instruction Fuzzy Hash: 3381AE342097019BE724EF6CD880A2EB7E5EF59750F49892EE585CB251E735EC10CBA2

Function 00E3DA92 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec76466d95a6514d338c3e72897ca10798dd59c11988ed69ab6c6f4e97fcc68e
Instruction ID: eaef24b71a2315bfa786eb5c3842eb11b89649905e7a9e7215496f658d4f03fd
Opcode Fuzzy Hash: ec76466d95a6514d338c3e72897ca10798dd59c11988ed69ab6c6f4e97fcc68e
Instruction Fuzzy Hash: 20717EF3E092145BE3046E2DDC91376B7D6DBD4260F2B863DEA8497744F9355C164382

Function 00D764F0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8aa47bf2a9377d819b403852a3dd68c72e42e74d5bc2daef0f68dccfda54a0a
Instruction ID: 83d5cd2dbabe08e82e0ef338ff77cf862f37afc0e104eeb296bf61e3649c16c5
Opcode Fuzzy Hash: d8aa47bf2a9377d819b403852a3dd68c72e42e74d5bc2daef0f68dccfda54a0a
Instruction Fuzzy Hash: 7071B333B69E904BC314997C5C82395AA934BD6334B3DC3B9A9B8CB3E5F529C8065360

Function 00D628E9 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2bfae54848e7163fb050447572ab4df013a3c47734551987da13bd7f33cc5c
Instruction ID: 36401b985a8eda8eca6c3276bd2cedf1fb587dad63e1a818ee03cdef09468f57
Opcode Fuzzy Hash: bf2bfae54848e7163fb050447572ab4df013a3c47734551987da13bd7f33cc5c
Instruction Fuzzy Hash: 0E6176B45183409BD310AF18E851A2BBBF0EFA6750F18491DE5C58B361E33AD910CB66

Function 00D67C00 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82208defabfd32ab392dde099fb71e3a95c40f80320ad8022a0db78783088b4e
Instruction ID: 6063234a439df6a47d36169685cd860300b9d44d12934dbd9e37bf3ca1efba13
Opcode Fuzzy Hash: 82208defabfd32ab392dde099fb71e3a95c40f80320ad8022a0db78783088b4e
Instruction Fuzzy Hash: 9B519EB1618208ABDB209B24CC96BB733B4EF85768F194958F9858B291F375EC05CB71

Function 00D71860 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction ID: 521573fceb340e557561851fa825fb361225c04e801a4dc1608a0db794f591ec
Opcode Fuzzy Hash: 6d108e008403b3c92b59985e25fae4eb0cb21936506a5ffd7efe5999b9cc5533
Instruction Fuzzy Hash: 9861A135609311ABD714CE2CC58072EBBE6ABC5350F68CA2EE4DD8B251E370DD469B62

Function 00D782D0 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410c02a20db62a81d5cf2e48974c1efa6a0ebc85807e004b5976a112d24bc881
Instruction ID: 791f41eb3fbe9229cb84e09a9999bc95c736409ca702d6fcecaf07c9eebd9325
Opcode Fuzzy Hash: 410c02a20db62a81d5cf2e48974c1efa6a0ebc85807e004b5976a112d24bc881
Instruction Fuzzy Hash: E9614D33A9AA904BD314453C5C593A6AA831BD2334F3DC366D9F9CB3E4ED7988016371

Function 00D542FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823df24968eae43a71635b19c7581b103f343da5ec29a554e4cd696c95974166
Instruction ID: 518cac6ee027065a5f52fed4871e765c92dfdf6f766ac4c62de7fe52bc899ee7
Opcode Fuzzy Hash: 823df24968eae43a71635b19c7581b103f343da5ec29a554e4cd696c95974166
Instruction Fuzzy Hash: 7F81DFB4810B00AFD360EF39D947757BEF4EB06201F504A1DE8EA96695E730A459CBE3

Function 00EA89C2 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd1f7476b96c51c0231a528964204e6034d76748e5544f6a9eab2f5d37b52cf
Instruction ID: 602feb1faa7d5380b44f045b9d2235b618888c7369a8593186974cb1f775bd54
Opcode Fuzzy Hash: 0bd1f7476b96c51c0231a528964204e6034d76748e5544f6a9eab2f5d37b52cf
Instruction Fuzzy Hash: 9E51D7B2A082049FE304AF39DD8577AB7E5EBA4720F06CA3DE6C487748EA3954458647

Function 00D7E8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: f4bf03326550abcf54f81e6c9f3b35263eb885ca17fea21a7bc7d8958fc3b9cf
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 91517BB16083548FE314DF69D49435BBBE1BBC9318F044E2DE4E983391E379DA088B92

Function 00EF1C85 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39194c75a63daa5c303f692a22f6f710a1b386e50c0aab1c6819cd4db57f4892
Instruction ID: de099f7f16dcd3f2e2fa0db7737732925bb1d38094c8ac38c1c550e5ec92f421
Opcode Fuzzy Hash: 39194c75a63daa5c303f692a22f6f710a1b386e50c0aab1c6819cd4db57f4892
Instruction Fuzzy Hash: 30514DF3A083045FE308A96DEC85726B7D6EFD4710F2A813CD78483784FD7558068296

Function 00D87520 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7bac1f376321d97ed12de9f9c9930a64c909bb82374eb5366e6139ba9ea9fb
Instruction ID: d12156e23d9d0f7e2d51f68e71b212bdb37c832f42c4ba55cf78f5bb84bec947
Opcode Fuzzy Hash: 9b7bac1f376321d97ed12de9f9c9930a64c909bb82374eb5366e6139ba9ea9fb
Instruction Fuzzy Hash: 4F51C33160C210ABC715AE1CDC91B2EB7E6EB85754F788A2CE9E597391D631EC10C7B1

Function 00DCFD96 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b05888713b59e1c74db1ad35e39fe48032c7538b05f7d1e3ce3323ca41e5b7
Instruction ID: 37f129f53c2d826c951114f335d5c9402bff96ec2cc50c667c618c7ebfb3a261
Opcode Fuzzy Hash: f1b05888713b59e1c74db1ad35e39fe48032c7538b05f7d1e3ce3323ca41e5b7
Instruction Fuzzy Hash: 9A5158F3E442185BE304692AEC8577AB7DA9BD4320F1B423DDA899B780F87D4C058282

Function 00D45A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f935ec5b401d9bacbaa8b31824f5ed85e0ff65f11f7a54162685968ee64336c
Instruction ID: bcc84124ec95869efe55f1309221ba2cd23c17e7a2cfa1224b3389ae5ab08314
Opcode Fuzzy Hash: 3f935ec5b401d9bacbaa8b31824f5ed85e0ff65f11f7a54162685968ee64336c
Instruction Fuzzy Hash: 9651C1B5A047049FC714DF18E881926B7A1FF85324F19466CF89A8B356D631EC42CBA2

Function 00E37CA1 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17b6eb7683b38eddf0d8a6fdf14a30a2dbf192d8bb4f364b2bcafcd1cc4dccd
Instruction ID: 267cdc2c7c959b0a17444278c5da9007ac30ff676265d43bbae9a797b87f44fe
Opcode Fuzzy Hash: c17b6eb7683b38eddf0d8a6fdf14a30a2dbf192d8bb4f364b2bcafcd1cc4dccd
Instruction Fuzzy Hash: 835125F39082109FE305AE68EC857BAB7D2EB94310F1B893DDBD497740EA79480186C6

Function 00E7F04C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78e288f5149f6c47c84ff917755eee43cee6aaf2f1eec64df3255a59ba16806
Instruction ID: 8738125ead37606b9d5a7c517b50303819e8b76af5c2c99b0548df2343702778
Opcode Fuzzy Hash: b78e288f5149f6c47c84ff917755eee43cee6aaf2f1eec64df3255a59ba16806
Instruction Fuzzy Hash: 324159F3A092009BF308AE2ADC857BAB7D6EFC4320F1B853CD7C557784EA3558058696

Function 00D6EC48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983b2898ac2e3175f955da15e31b0c5bde79869524aa31a7236059edf5ce77cf
Instruction ID: c491d891fc89391e6a2acd9f3acefe0e034742a98885dafe24222ec53c0befd3
Opcode Fuzzy Hash: 983b2898ac2e3175f955da15e31b0c5bde79869524aa31a7236059edf5ce77cf
Instruction Fuzzy Hash: 8C418E78900316DBDF209F94DC91BA9B7B0FF0A340F184549E945AB3A1EB38A951CFA1

Function 00D89B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e22882b3918a468723b6f6da157eb37190001f6b8bf0df6512454d6c0287f3
Instruction ID: f739b6becbf4430f4082acce524eeb14ad28aaba1adc0dfc94f541a068c9e3c8
Opcode Fuzzy Hash: 29e22882b3918a468723b6f6da157eb37190001f6b8bf0df6512454d6c0287f3
Instruction Fuzzy Hash: E0417B74208300ABD710AB59E9A0B3AF7E6EB85714F58882DF5CA97251D336E811CB76

Function 00D52030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6513fd5ca680514d35b6cf70b095d355d7cd5625abd521ec9b9564a621faf67
Instruction ID: 6faf6a9659e0ffae2bf8d6fb90bd27f5a1ae2060e027e19bb7ddea9aa5037225
Opcode Fuzzy Hash: b6513fd5ca680514d35b6cf70b095d355d7cd5625abd521ec9b9564a621faf67
Instruction Fuzzy Hash: 79410772A183654FD75CCF2D849023ABBE2AFC5300F09862EE8D6873D0DA758949D7A1

Function 00D51E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6146408a49e97dcfa0b97a485b6ce26b527b84e24dd3a1641059494539c2dbef
Instruction ID: c361a1c34762466df33871f5ced316bf2865b53f246f6c382221065db4a32937
Opcode Fuzzy Hash: 6146408a49e97dcfa0b97a485b6ce26b527b84e24dd3a1641059494539c2dbef
Instruction Fuzzy Hash: 884111755083809BC721AB58C884B2EFBF5FB86346F144D1CFAC497292C376E8188F66

Function 00D88D8A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f0c7222b9a68a65f36186f5150e0ae10658ad48b36301b67e3cb3702bf889b
Instruction ID: 1b834ac8c79403ddd6afcd393a31c8627360469790b5f1d518abc59e707008a2
Opcode Fuzzy Hash: e8f0c7222b9a68a65f36186f5150e0ae10658ad48b36301b67e3cb3702bf889b
Instruction Fuzzy Hash: 9C41BF3160C2508FC704EF68C49052EFBE6EF99300F598A2EE4D5E72A1DB75DD018BA2

Function 00D5D961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ccf3bbd259e5c80d4432cdd8d6cd9bbe1abf302d7a507ed8edd9620285d983
Instruction ID: c1977a9ede2a88a34b2cd5adf67ce0664cee95b1d0eba17b33ea73dba5badcd7
Opcode Fuzzy Hash: 62ccf3bbd259e5c80d4432cdd8d6cd9bbe1abf302d7a507ed8edd9620285d983
Instruction Fuzzy Hash: C5419CB56493818BE7309F14C841BABB7B1FFA6361F080959E88A8B751E7744944CBB3

Function 00D7F030 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction ID: 6ad4402b3b452578988e442b79906c69cd093ff8435268d7b88f05f9037556ad
Opcode Fuzzy Hash: c5be6113664422e96713363ec41851647c31506b086c17a8b3ff98e201e465e1
Instruction Fuzzy Hash: 0321F5329082244BC3349B5DC48163AF7E5EB99704F4AC62EE9C8A7295E3359C1487E2

Function 00D867EF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67fd545b3e59ed9c6a0de91ba6e1f164bf370063b77776f1725256892bbd8c8
Instruction ID: 123e71e900e57a163aa08dede2a95c87b601f9d5d8c61a7722ca03e67d63ac68
Opcode Fuzzy Hash: b67fd545b3e59ed9c6a0de91ba6e1f164bf370063b77776f1725256892bbd8c8
Instruction Fuzzy Hash: D33114705183829AD714EF15C490A2FBBF0EF96794F54580DF4C8AB2A1D338D985CBAA

Function 00D65E70 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e122227f097d8e24126b7adbae0c83331a3a4bce22a0ed2a7b735dd1678b91
Instruction ID: f418a513ce8525db83ed8aac2b7798a813fd4b148dbd0cdbb247cc1857e79d97
Opcode Fuzzy Hash: 53e122227f097d8e24126b7adbae0c83331a3a4bce22a0ed2a7b735dd1678b91
Instruction Fuzzy Hash: 7521AE715092019BC710AF28D85192BBBF4EF96764F488908F4D99B296E335CA80CBB3

Function 00D449A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction ID: 6d310c6e064a4bfabf6be60047e9143c2bec0b113888676449cb6d9e1dc585c9
Opcode Fuzzy Hash: cbe2eee255ce80e2df90ed4850d7395439c2c852be5922ee4a7cea5853ec6c97
Instruction Fuzzy Hash: E131C5316582009BD7149E58D882B2BB7E1FF8435DF1C892DE8DA9B341D331DC92DB66

Function 00D864B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4a7a3330d06415724622481312ef256303369f848d44edc9270a644ff7cf67
Instruction ID: faca64e5c3e65140b44d07f9e6960d95636d0edfb733482ef7fe165e1639f68e
Opcode Fuzzy Hash: 9c4a7a3330d06415724622481312ef256303369f848d44edc9270a644ff7cf67
Instruction Fuzzy Hash: 9F21437060C240ABC705EF59E880A2EFBE6FB95765F28881CE4C493362C335E850CB72

Function 00D50EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5afb8d24a6a21233a048c314eedf00aedfc1def6f657a8c27ea511c5bcd2f7
Instruction ID: 44e0f945e308c427401105f6c46f930e42b4045e9a758801d6d868ecdbd5f3a3
Opcode Fuzzy Hash: 7b5afb8d24a6a21233a048c314eedf00aedfc1def6f657a8c27ea511c5bcd2f7
Instruction Fuzzy Hash: 2F2116B490021A9FDF15CFA4CC90BBEBBB5FF4A305F144849E811AB392C735A915CB64

Function 00D85700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93079f8c8a1d03716ee3fd6fca4b7982b5b93a6aa2aa76e9a032e5a7487f05ab
Instruction ID: 8fdde65b4ad691c8032ece9f1d766a04751a9aa8ca20858c2c70213871ba9841
Opcode Fuzzy Hash: 93079f8c8a1d03716ee3fd6fca4b7982b5b93a6aa2aa76e9a032e5a7487f05ab
Instruction Fuzzy Hash: 38114875918280EBC701AF28EC45A1BBBE5EF96B10F158828E4C8DB325D335D915CBB7

Function 00D7B650 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f54335a3929116b8f5d7bffc249810c805e28d393c6a87f8c3bbd02ceb0ce1b7
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 5E118633A051D44EC7168D3C8440669BFE31AA3635B5D839AE5B89F2D2E7228D8A8365

Function 00D70B80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction ID: d541b977f9ef6e561daa6bf10a201263ae53d1d6a679f96405382e2faebe84e0
Opcode Fuzzy Hash: 90022ddfb32469098a8610d4b68e70bc315f5b0e8987f5b71d64abe4c0da561b
Instruction Fuzzy Hash: C40175F5A1130187E7209E5494D1B3BB6A8AF44718F1C852CD50E97281FB76ED05C6B1

Function 00D6D1E1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320b03419e05b2a4734c4fba75b5dbee4bc4edbe671a8ccf41d90a277254c7e2
Instruction ID: a8625be21c77ac80334a50060dce3fd829fb4e49455ef97f25f3e49e2e6457a4
Opcode Fuzzy Hash: 320b03419e05b2a4734c4fba75b5dbee4bc4edbe671a8ccf41d90a277254c7e2
Instruction Fuzzy Hash: 7C11EFB0408380AFD310AF61C494A1FFBE5EB96714F248C0DF5A49B251C375D819CF66

Function 00D46EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7233f4bd42b711d201e803d9e2cfd9b1ce1c1ba5c00d20315f65160094f54068
Instruction ID: b5c41432047b1ce70b9212a60e72a24b25731bacc91ccf77f2f907da064cb39b
Opcode Fuzzy Hash: 7233f4bd42b711d201e803d9e2cfd9b1ce1c1ba5c00d20315f65160094f54068
Instruction Fuzzy Hash: 96F0E03E7153194B6210CDBAE88483BF3D6DBD6365B185539EE81D3311DD71E80552F1

Function 00D7B8C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction ID: 6506d07c58c905065930edc77b6421f51c28c54387ea28b09faa2761b04cb969
Opcode Fuzzy Hash: dad40b8a8b0cf0c680be38028a9801f4e1e9da1297b4f3b9e1d9df466e9bee7e
Instruction Fuzzy Hash: 1E0162B3A199610B8348CE3DDC1156BBAD15BD5770F19872DBEF5CB3E0D230C8118695

Function 00D5C5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00D5B410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 900bc7234a59256d7d4d5b2a3b1b736383bda3985d9573a1427b0e7f17a5583d
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: FDF0A7B160451457DF328A589C80B37BB9CCB97369F190427EC4557143D261584DC3F5

Function 00D78220 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ece22dcb918c62dfb676260d8a1626b8bbd1fdd62e1ed8b06dbd72b24709fb4
Instruction ID: 9e28ab99245f5c58e1e6b664c2a59afeaf57d43f6cf14718d2901129266134ac
Opcode Fuzzy Hash: 1ece22dcb918c62dfb676260d8a1626b8bbd1fdd62e1ed8b06dbd72b24709fb4
Instruction Fuzzy Hash: DF01EFB0410B009FC360EF29C845B4BBBE8EB08714F008A1DE8AECB780D770A5488B92

Function 00D81440 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: 80da50cce04754753580715d831094cfd091f77544c5264169dee8bee85da0a9
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: EED05E2560832186AB649E1DA4009BBF7E4EA87B11F4D955EF586E3148D230DC42C2B9

Function 00D51ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed021e3fb88ba2bf5e913f81804a59c4b2ea53c9d0b39c8b3219e229475da54
Instruction ID: 4ceea94a30c52740069235f3d46c4ea0549eb537927a715ab6ed5b2aa2f69831
Opcode Fuzzy Hash: aed021e3fb88ba2bf5e913f81804a59c4b2ea53c9d0b39c8b3219e229475da54
Instruction Fuzzy Hash: 19C01238A292008B82048F08E895932A3B8A306209700602BDA02E3322DA60C4168A29

Function 00D86094 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c1049c5c347e4ceb95f1fc42dbb1357dec013cefef26a3dfe21be5ffd77148
Instruction ID: a38f772b2c19a2d8786c7108dd5745184e443c8b9c17e2cd5808760bfda6a23f
Opcode Fuzzy Hash: e9c1049c5c347e4ceb95f1fc42dbb1357dec013cefef26a3dfe21be5ffd77148
Instruction Fuzzy Hash: C9C04C3865C100869108CE04E955475E2669A97618724B01AC84663355C124D512952C

Function 00D51A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e369e384becc422a0b5ce84e287d01954a2d0a222c90152ca81e6b91a769656a
Instruction ID: a60064144d92a82a82d037f239c4256ff4597b91f1ef4c584203698e760c3ae7
Opcode Fuzzy Hash: e369e384becc422a0b5ce84e287d01954a2d0a222c90152ca81e6b91a769656a
Instruction Fuzzy Hash: 37C09B38A79244CBC644CF8DE8D1932A3FC5317209710303B9F43F7361D560D4158719

Function 00D85FD6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2036561633.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2036550122.0000000000D40000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000DA0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000F1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000000FFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001033000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036592918.0000000001042000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036813206.0000000001043000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036916822.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2036930764.00000000011E0000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3dc5f1afa80edfcbfff21e0363c7908b0ac6b67d2d82d8475deb6cc06ed8bac
Instruction ID: e0b59534d119119b722e5d2acf155de504a15484082d51bd9d7a20ff36bc6bc9
Opcode Fuzzy Hash: d3dc5f1afa80edfcbfff21e0363c7908b0ac6b67d2d82d8475deb6cc06ed8bac
Instruction Fuzzy Hash: 42C09228B682008BA24CCF18DD55936F2BA9B8BA1CB14B02EC806E3356D134D512862C

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
file.exe

Function 00D850FA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
libraryCOMMON

Function 00D4FCA0 Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Function 00D4D110 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Function 00D85BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00D8695B Relevance: 1.4, Strings: 1, Instructions: 100
COMMON

Function 00D5049B Relevance: .3, Instructions: 264
COMMON

Function 00D50228 Relevance: .2, Instructions: 218
COMMON

Function 00D83220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00D83202 Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON