Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1533037
MD5:	b7c6caceb7f0ff55a6d276ef2d4505af
SHA1:	b50a32531b09099caa47ce317a89c4dd38b0a7f2
SHA256:	8c67a0c7241778a14e218933a14a80797a45fca028aff527b42b2f6192a68387
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

file.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B7C6CACEB7F0FF55A6D276EF2D4505AF)

WerFault.exe (PID: 7964 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1940 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["clearancek.site", "eaglepawnoy.store", "spirittunek.store", "licendfilteo.site", "studennotediw.store", "mobbipenju.store", "bathdoomgaz.store", "dissapoiznw.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:14.459626+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49701	104.21.53.8	443	TCP
2024-10-14T11:03:15.541991+0200	2054653	1	A Network Trojan was detected	192.168.2.7	49707	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:14.459626+0200	2049836	1	A Network Trojan was detected	192.168.2.7	49701	104.21.53.8	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:15.541991+0200	2049812	1	A Network Trojan was detected	192.168.2.7	49707	104.21.53.8	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:11.668185+0200	2056477	1	Domain Observed Used for C2 Detected	192.168.2.7	51562	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:11.568759+0200	2056471	1	Domain Observed Used for C2 Detected	192.168.2.7	55665	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:11.640630+0200	2056481	1	Domain Observed Used for C2 Detected	192.168.2.7	52001	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:11.628627+0200	2056483	1	Domain Observed Used for C2 Detected	192.168.2.7	61034	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:11.800129+0200	2056473	1	Domain Observed Used for C2 Detected	192.168.2.7	51654	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:11.616617+0200	2056485	1	Domain Observed Used for C2 Detected	192.168.2.7	50482	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:11.686786+0200	2056475	1	Domain Observed Used for C2 Detected	192.168.2.7	63975	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:11.653259+0200	2056479	1	Domain Observed Used for C2 Detected	192.168.2.7	57236	1.1.1.1	53	UDP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T11:03:13.680682+0200	2858666	1	Domain Observed Used for C2 Detected	192.168.2.7	49699	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7576.4.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "eaglepawnoy.store", "spirittunek.store", "licendfilteo.site", "studennotediw.store", "mobbipenju.store", "bathdoomgaz.store", "dissapoiznw.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: sergei-esenin.com	Virustotal: Detection: 17%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 18%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 21%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 21%	Perma Link
Source: https://sergei-esenin.com/apiM	Virustotal: Detection: 13%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: https://eaglepawnoy.store:443/api	Virustotal: Detection: 21%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 21%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 18%	Perma Link
Source: https://sergei-esenin.com:443/apifiles/76561199724331900	Virustotal: Detection: 9%	Perma Link
Source: https://sergei-esenin.com:443/api	Virustotal: Detection: 18%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: clearancek.site
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: licendfilteo.site
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: spirittunek.store
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: bathdoomgaz.store
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: studennotediw.store
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: dissapoiznw.store
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: eaglepawnoy.store
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: mobbipenju.store
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: clearancek.site
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: - Screen Resoluton:
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: Workgroup: -
Source: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp	String decryptor: 4SD0y4--legendaryy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49707 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	4_2_00AE99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00AAD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00AAD110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_00AAFCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_00AB6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	4_2_00AA49A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	4_2_00AE3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	4_2_00ABD961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_00AB42FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	4_2_00AB1ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	4_2_00AB1A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	4_2_00AE4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	4_2_00AA5A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	4_2_00AB1BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_00AB3BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	4_2_00AAA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	4_2_00AE9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00AE9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	4_2_00AE9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	4_2_00ACCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00ACCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	4_2_00ACCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	4_2_00ABB410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	4_2_00ACC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00ABD457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	4_2_00AA8590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	4_2_00AB6536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00AC9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	4_2_00ACFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	4_2_00AA6EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	4_2_00AB6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	4_2_00AABEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	4_2_00AB1E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	4_2_00AB0EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	4_2_00AB6F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	4_2_00AE5700

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:55665 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:61034 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:57236 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:52001 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:63975 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:50482 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:51654 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:51562 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49699 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49701 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49707 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49707 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: spirittunek.store
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store
Source: Malware configuration extractor	URLs: dissapoiznw.store

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=AqhxCjlq_E3AgO9n.7dMsBL7zg.kGWAWYSyOi_3alMM-1728896594-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eaglepawnoy.store:443/api
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/apid
Source: file.exe, 00000004.00000003.1321868855.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.1598907170.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000004.00000003.1321868855.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/LOu
Source: file.exe, 00000004.00000003.1321750221.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.1598907170.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000004.00000002.1598907170.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiM
Source: file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/apifiles/76561199724331900
Source: file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowU)
Source: file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studennotediw.store:443/api:
Source: file.exe, 00000004.00000002.1598907170.0000000001193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-errop
Source: file.exe, 00000004.00000003.1321594830.0000000001209000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-man
Source: file.exe, 00000004.00000003.1321868855.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-manMV
Source: file.exe, 00000004.00000003.1321594830.0000000001209000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49707 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AB0228	4_2_00AB0228
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00ADE8A0	4_2_00ADE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AEA0D0	4_2_00AEA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AB2030	4_2_00AB2030
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AAA850	4_2_00AAA850
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AAE1A0	4_2_00AAE1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AA5160	4_2_00AA5160
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AE4A40	4_2_00AE4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AAA300	4_2_00AAA300
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AA7CA4	4_2_00AA7CA4
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AB4487	4_2_00AB4487
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AB049B	4_2_00AB049B
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00ACCCD0	4_2_00ACCCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00ACC470	4_2_00ACC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AA35B0	4_2_00AA35B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AA8590	4_2_00AA8590
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00ABC5F0	4_2_00ABC5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00ACFD10	4_2_00ACFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AB6EBF	4_2_00AB6EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AABEB0	4_2_00AABEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4_2_00AAAF10	4_2_00AAAF10

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00ABD300 appears 47 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1940

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: ZLIB complexity 0.9995423370462047

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@10/2

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7576

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\60f4c263-0033-4bdb-b45d-6041384cc389

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1940

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 2963456 > 1048576

Source: file.exe

Static PE information: Raw size of dobewrry is bigger than: 0x100000 < 0x2aa000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 4.2.file.exe.aa0000.0.unpack :EW;.rsrc :W;.idata :W;dobewrry:EW;uiaqfnoj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;dobewrry:EW;uiaqfnoj:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2e0125 should be: 0x2e2532

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: dobewrry
Source: file.exe	Static PE information: section name: uiaqfnoj
Source: file.exe	Static PE information: section name: .taggant

Source: file.exe

Static PE information: section name: entropy: 7.982810470141253

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B04414 second address: B03CB1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F72B9AA7988h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub dword ptr [ebp+122D1F93h], ecx 0x00000015 mov dword ptr [ebp+122D1F93h], eax 0x0000001b push dword ptr [ebp+122D0DF5h] 0x00000021 sub dword ptr [ebp+122D2012h], edi 0x00000027 call dword ptr [ebp+122D29ACh] 0x0000002d pushad 0x0000002e cmc 0x0000002f xor eax, eax 0x00000031 cld 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 mov dword ptr [ebp+122D29EBh], eax 0x0000003c cld 0x0000003d mov dword ptr [ebp+122D2C3Ah], eax 0x00000043 xor dword ptr [ebp+122D29EBh], esi 0x00000049 cmc 0x0000004a mov esi, 0000003Ch 0x0000004f sub dword ptr [ebp+122D2012h], edi 0x00000055 mov dword ptr [ebp+122D29EBh], ebx 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f jmp 00007F72B9AA798Dh 0x00000064 lodsw 0x00000066 add dword ptr [ebp+122D29EBh], edi 0x0000006c add eax, dword ptr [esp+24h] 0x00000070 add dword ptr [ebp+122D2628h], ecx 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a jnl 00007F72B9AA798Ch 0x00000080 mov dword ptr [ebp+122D29EBh], esi 0x00000086 nop 0x00000087 jns 00007F72B9AA79A0h 0x0000008d pushad 0x0000008e push eax 0x0000008f push edx 0x00000090 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6D2C3 second address: C6D2C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8209A second address: C8209E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8209E second address: C820B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72B8E40BFEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C820B1 second address: C820BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C820BF second address: C820D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C820D8 second address: C820F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jp 00007F72B9AA7986h 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C820F0 second address: C82119 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F72B8E40BFCh 0x00000008 jnc 00007F72B8E40BF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F72B8E40C02h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C82119 second address: C8211E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8211E second address: C82123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C821BE second address: C821C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F72B9AA7986h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C821C9 second address: C821CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C821CF second address: C821D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C821D3 second address: C821D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C821D7 second address: C82216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 588CA7E0h 0x0000000f mov si, BBCAh 0x00000013 push 00000003h 0x00000015 mov ecx, 4AF829A0h 0x0000001a push 00000000h 0x0000001c mov esi, dword ptr [ebp+122D2D1Ah] 0x00000022 push 00000003h 0x00000024 mov dword ptr [ebp+122D1F93h], eax 0x0000002a mov ecx, dword ptr [ebp+122D2E5Eh] 0x00000030 push B72E3467h 0x00000035 jc 00007F72B9AA7994h 0x0000003b push eax 0x0000003c push edx 0x0000003d push ebx 0x0000003e pop ebx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C82216 second address: C8221A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8221A second address: C82253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 772E3467h 0x0000000d mov dl, EAh 0x0000000f lea ebx, dword ptr [ebp+12451FCFh] 0x00000015 pushad 0x00000016 mov ecx, dword ptr [ebp+122D1F93h] 0x0000001c mov ax, 5065h 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 jmp 00007F72B9AA7990h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b pushad 0x0000002c popad 0x0000002d pop eax 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C822D1 second address: C822D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C822D7 second address: C82304 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F72B9AA798Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F72B9AA799Ah 0x00000013 jmp 00007F72B9AA7994h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7238F second address: C7239D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jnl 00007F72B8E40BF6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1276 second address: CA1298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72B9AA7990h 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F72B9AA7986h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1298 second address: CA129C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA129C second address: CA12A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA140D second address: CA1411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1411 second address: CA1431 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F72B9AA7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F72B9AA7996h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1431 second address: CA143B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F72B8E40BF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA143B second address: CA143F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1C7A second address: CA1C84 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F72B8E40BFEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1C84 second address: CA1CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F72B9AA798Eh 0x00000010 jbe 00007F72B9AA7986h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1CA5 second address: CA1CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1CAA second address: CA1CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F72B9AA7986h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1E2F second address: CA1E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jns 00007F72B8E40BF6h 0x0000000c pop eax 0x0000000d jo 00007F72B8E40BFEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2120 second address: CA2126 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2126 second address: CA2131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2131 second address: CA2146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F72B9AA7986h 0x0000000a jnc 00007F72B9AA7986h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C99AF0 second address: C99B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40BFDh 0x00000007 jmp 00007F72B8E40C05h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jo 00007F72B8E40BF6h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C99B26 second address: C99B30 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F72B9AA7986h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C99B30 second address: C99B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C99B36 second address: C99B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2B6B second address: CA2B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2B6F second address: CA2B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F72B9AA7992h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2B96 second address: CA2B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2B9A second address: CA2BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2CF4 second address: CA2D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72B8E40C09h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2D11 second address: CA2D15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2D15 second address: CA2D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007F72B8E40C05h 0x0000000d jc 00007F72B8E40C02h 0x00000013 jmp 00007F72B8E40BFCh 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2D47 second address: CA2D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2FF7 second address: CA2FFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA2FFB second address: CA300D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007F72B9AA7986h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5AA3 second address: CA5AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5AAA second address: CA5AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5AB0 second address: CA5AC5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F72B8E40BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5AC5 second address: CA5ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5ACC second address: CA5AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F72B8E40BF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5AD6 second address: CA5ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5ADA second address: CA5AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5AEC second address: CA5AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5AF2 second address: CA5AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA5D51 second address: CA5D5B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F72B9AA7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA8927 second address: CA8939 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72B8E40BFDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA8939 second address: CA8945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA8945 second address: CA895C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F72B8E40C02h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CACC7A second address: CACC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CACC80 second address: CACC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CACC84 second address: CACCA1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F72B9AA7986h 0x00000008 jmp 00007F72B9AA7990h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CACCA1 second address: CACCAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CACCAC second address: CACCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CACF9C second address: CACFA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CACFA2 second address: CACFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F72B9AA798Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAD609 second address: CAD60D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAD60D second address: CAD611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAD611 second address: CAD61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0AD8 second address: CB0B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edx 0x00000009 popad 0x0000000a add dword ptr [esp], 516EC573h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F72B9AA7988h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b jmp 00007F72B9AA7991h 0x00000030 push C0D83F83h 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F72B9AA7995h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0E44 second address: CB0E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0FED second address: CB1005 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F72B9AA798Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB1005 second address: CB100F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F72B8E40BF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB17A4 second address: CB17A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB17A8 second address: CB17D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72B8E40C03h 0x00000008 jl 00007F72B8E40BF6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F72B8E40BFCh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB17D6 second address: CB17ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72B9AA7993h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB18C3 second address: CB18D7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F72B8E40BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F72B8E40BF6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB1978 second address: CB197C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C758BB second address: C758CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F72B8E40BF6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C758CA second address: C758CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C758CE second address: C758D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C758D4 second address: C75924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F72B9AA79A8h 0x0000000c popad 0x0000000d jl 00007F72B9AA79BCh 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a jmp 00007F72B9AA7992h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB3886 second address: CB3890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F72B8E40BF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB52BE second address: CB5354 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F72B9AA798Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D2D72h] 0x00000011 push 00000000h 0x00000013 sub esi, dword ptr [ebp+122D2DCEh] 0x00000019 call 00007F72B9AA7998h 0x0000001e jmp 00007F72B9AA798Ch 0x00000023 pop edi 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F72B9AA7988h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 mov dword ptr [ebp+12453058h], eax 0x00000046 pushad 0x00000047 jmp 00007F72B9AA7990h 0x0000004c cld 0x0000004d popad 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jmp 00007F72B9AA798Bh 0x00000057 ja 00007F72B9AA7986h 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB5354 second address: CB5387 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72B8E40C09h 0x00000008 jc 00007F72B8E40BF6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jne 00007F72B8E40BF8h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB5387 second address: CB538B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB5CB5 second address: CB5CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB5CBB second address: CB5CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB5CC4 second address: CB5CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB67EF second address: CB6806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72B9AA7993h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB7291 second address: CB7309 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F72B8E40BF8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F72B8E40BF8h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f call 00007F72B8E40C02h 0x00000044 mov di, 9FC4h 0x00000048 pop edi 0x00000049 push 00000000h 0x0000004b push ecx 0x0000004c jne 00007F72B8E40BFCh 0x00000052 pop edi 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jl 00007F72B8E40BF8h 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB7309 second address: CB7313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F72B9AA7986h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB7D1D second address: CB7D27 instructions: 0x00000000 rdtsc 0x00000002 js 00007F72B8E40BFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBA417 second address: CBA41B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBA41B second address: CBA41F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBC74C second address: CBC750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBCCCE second address: CBCCDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F72B8E40BF6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBCE19 second address: CBCE1E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBDF0D second address: CBDF17 instructions: 0x00000000 rdtsc 0x00000002 je 00007F72B8E40BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBDF17 second address: CBDF1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFEF2 second address: CBFF5D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b movzx ebx, cx 0x0000000e push ebx 0x0000000f mov di, ax 0x00000012 pop ebx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov edi, dword ptr [ebp+122D2D72h] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 pushad 0x00000028 mov dword ptr [ebp+12459F8Ch], ebx 0x0000002e je 00007F72B8E40BFCh 0x00000034 mov ecx, dword ptr [ebp+124782CFh] 0x0000003a popad 0x0000003b mov eax, dword ptr [ebp+122D0171h] 0x00000041 push 00000000h 0x00000043 push esi 0x00000044 call 00007F72B8E40BF8h 0x00000049 pop esi 0x0000004a mov dword ptr [esp+04h], esi 0x0000004e add dword ptr [esp+04h], 00000015h 0x00000056 inc esi 0x00000057 push esi 0x00000058 ret 0x00000059 pop esi 0x0000005a ret 0x0000005b mov ebx, dword ptr [ebp+122D29F8h] 0x00000061 push FFFFFFFFh 0x00000063 nop 0x00000064 pushad 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFF5D second address: CBFF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007F72B9AA798Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC1B30 second address: CC1B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC4E0E second address: CC4E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC4E17 second address: CC4E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC5E1F second address: CC5E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC8DF5 second address: CC8DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC8DF9 second address: CC8E0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B9AA798Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC8E0A second address: CC8E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F72B8E40BF8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 sub dword ptr [ebp+122D206Bh], edx 0x0000002d push 00000000h 0x0000002f call 00007F72B8E40BFAh 0x00000034 pop ebx 0x00000035 xchg eax, esi 0x00000036 jng 00007F72B8E40C0Dh 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push esi 0x00000041 pop esi 0x00000042 jmp 00007F72B8E40BFBh 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC8083 second address: CC8150 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F72B9AA7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e xor edi, dword ptr [ebp+122D2C8Ah] 0x00000014 push dword ptr fs:[00000000h] 0x0000001b jnp 00007F72B9AA7988h 0x00000021 mov edi, esi 0x00000023 mov bl, 02h 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c mov bx, D0C4h 0x00000030 movzx edi, si 0x00000033 mov eax, dword ptr [ebp+122D0A65h] 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F72B9AA7988h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 sub edi, 32439628h 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push ecx 0x0000005e call 00007F72B9AA7988h 0x00000063 pop ecx 0x00000064 mov dword ptr [esp+04h], ecx 0x00000068 add dword ptr [esp+04h], 0000001Bh 0x00000070 inc ecx 0x00000071 push ecx 0x00000072 ret 0x00000073 pop ecx 0x00000074 ret 0x00000075 nop 0x00000076 pushad 0x00000077 jmp 00007F72B9AA7996h 0x0000007c jmp 00007F72B9AA7995h 0x00000081 popad 0x00000082 push eax 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 jmp 00007F72B9AA7995h 0x0000008b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCC288 second address: CCC2AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72B8E40BFBh 0x00000008 jp 00007F72B8E40BF6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 js 00007F72B8E40BF6h 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC8150 second address: CC8159 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD19C second address: CCD206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F72B8E40BF8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 or ebx, 769E4122h 0x00000029 push 00000000h 0x0000002b sub bh, 00000035h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F72B8E40BF8h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D1F41h] 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 jl 00007F72B8E40BFCh 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD206 second address: CCD21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F72B9AA798Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC8FF1 second address: CC9012 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F72B8E40BFCh 0x00000008 jg 00007F72B8E40BF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jbe 00007F72B8E40BF6h 0x0000001a jnp 00007F72B8E40BF6h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC9012 second address: CC9018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC9018 second address: CC901C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD44D second address: CCD451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD451 second address: CCD455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD455 second address: CCD45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD45B second address: CCD461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3A94 second address: CD3ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F72B9AA7992h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jmp 00007F72B9AA7990h 0x00000011 push edi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 ja 00007F72B9AA7986h 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3ACB second address: CD3ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD596A second address: CD596F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD596F second address: CD5974 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD5974 second address: CD597A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6B7FD second address: C6B820 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F72B8E40C15h 0x00000008 jmp 00007F72B8E40C09h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6B820 second address: C6B827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD94BD second address: CD94C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F72B8E40BF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDF3FB second address: CDF401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDF401 second address: CDF416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F72B8E40BFCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDF416 second address: CDF441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F72B9AA7995h 0x0000000e jbe 00007F72B9AA7986h 0x00000014 pop ecx 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDF441 second address: CDF447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE4051 second address: CE406F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 ja 00007F72B9AA7986h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jng 00007F72B9AA7986h 0x00000016 jnc 00007F72B9AA7986h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE431A second address: CE4322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE446A second address: CE4475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE88A1 second address: CE88AD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE88AD second address: CE88CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B9AA7999h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE777C second address: CE7785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE7785 second address: CE778F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F72B9AA7986h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAF395 second address: CAF3CB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F72B8E40C03h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c lea eax, dword ptr [ebp+1247F0A5h] 0x00000012 sbb di, AEDFh 0x00000017 xor edi, 28A23527h 0x0000001d nop 0x0000001e pushad 0x0000001f pushad 0x00000020 jno 00007F72B8E40BF6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAF3CB second address: CAF3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAF3D3 second address: CAF3FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F72B8E40BF6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007F72B8E40C05h 0x00000014 pop esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAF3FB second address: C99AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F72B9AA7988h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 call dword ptr [ebp+122D2672h] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push esi 0x0000002d pop esi 0x0000002e pop eax 0x0000002f jmp 00007F72B9AA7996h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAF5D4 second address: CAF5D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAF86B second address: CAF86F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAF86F second address: CAF875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAF875 second address: CAF87A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAFAFE second address: CAFB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAFB03 second address: CAFB2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B9AA7999h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F72B9AA7986h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAFB2A second address: CAFB2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAFBA5 second address: CAFBAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAFBAB second address: CAFBAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAFC9E second address: CAFCD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 jmp 00007F72B9AA7998h 0x0000000d pop ebx 0x0000000e pop ebx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jc 00007F72B9AA798Ah 0x00000019 push esi 0x0000001a pushad 0x0000001b popad 0x0000001c pop esi 0x0000001d mov eax, dword ptr [eax] 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAFCD5 second address: CAFCE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAFEE1 second address: CAFF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72B9AA7993h 0x00000009 popad 0x0000000a jc 00007F72B9AA798Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB02D0 second address: CB02D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0463 second address: CB0467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB06E3 second address: CB0736 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F72B8E40BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 mov dword ptr [ebp+122D2678h], edx 0x0000001a lea eax, dword ptr [ebp+1247F0A5h] 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F72B8E40BF8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e jbe 00007F72B8E40BF6h 0x00000044 jne 00007F72B8E40BF6h 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0736 second address: C9A5F6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F72B9AA798Ch 0x00000008 jl 00007F72B9AA7986h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push esi 0x00000012 pushad 0x00000013 jng 00007F72B9AA7986h 0x00000019 jno 00007F72B9AA7986h 0x0000001f popad 0x00000020 pop esi 0x00000021 nop 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F72B9AA7988h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c mov ecx, dword ptr [ebp+122D25BBh] 0x00000042 call dword ptr [ebp+122D2A95h] 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9A5F6 second address: C9A5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9A5FA second address: C9A60A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F72B9AA7986h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9A60A second address: C9A66C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F72B8E40BFCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F72B8E40C04h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F72B8E40BFCh 0x00000019 pushad 0x0000001a jmp 00007F72B8E40BFFh 0x0000001f jnp 00007F72B8E40BF6h 0x00000025 jmp 00007F72B8E40C06h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9A66C second address: C9A672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9A672 second address: C9A676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9A676 second address: C9A67A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE7EB5 second address: CE7EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE7EBA second address: CE7ECA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F72B9AA7986h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEFF0C second address: CEFF32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F72B8E40BF6h 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007F72B8E40BF6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F72B8E40C02h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF006B second address: CF0077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0235 second address: CF0241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F72B8E40BF6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0241 second address: CF0247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0247 second address: CF0255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F72B8E40BF6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0C75 second address: CF0C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0C79 second address: CF0C7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0E56 second address: CF0E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jbe 00007F72B9AA7986h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0E65 second address: CF0E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F72B8E40BF6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF0FB1 second address: CF0FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEFC19 second address: CEFC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEFC1D second address: CEFC30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B9AA798Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFA17A second address: CFA17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFA17E second address: CFA182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFA306 second address: CFA30A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF9E3D second address: CF9E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF9E41 second address: CF9E45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF9E45 second address: CF9E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F72B9AA7986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF9E54 second address: CF9E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72B8E40C01h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFADBA second address: CFADC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD453 second address: CFD48A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007F72B8E40C07h 0x0000000c jmp 00007F72B8E40C02h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD48A second address: CFD4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72B9AA7999h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F72B9AA798Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFCFDF second address: CFCFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD13C second address: CFD149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007F72B9AA798Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD149 second address: CFD14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD14F second address: CFD171 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F72B9AA799Dh 0x00000008 jmp 00007F72B9AA7997h 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFFEAB second address: CFFEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFFEAF second address: CFFEB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFFEB3 second address: CFFEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F72B8E40BFEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73D33 second address: C73D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73D39 second address: C73D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73D3F second address: C73D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09738 second address: D09741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09741 second address: D09747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09747 second address: D0974B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0974B second address: D0974F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0974F second address: D09786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F72B8E40BFCh 0x0000000c je 00007F72B8E40BF6h 0x00000012 popad 0x00000013 jmp 00007F72B8E40C00h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jns 00007F72B8E40BF6h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09786 second address: D0978C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0978C second address: D097A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72B8E40BFBh 0x00000009 js 00007F72B8E40BF6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09A70 second address: D09A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09A74 second address: D09A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0A020 second address: D0A02A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F72B9AA7986h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0A02A second address: D0A039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0A039 second address: D0A048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007F72B9AA7986h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0A9E2 second address: D0A9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E9C0 second address: D0E9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F72B9AA7986h 0x0000000d jmp 00007F72B9AA798Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E9DA second address: D0E9E7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F72B8E40BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DCB0 second address: D0DCDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F72B9AA799Eh 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F72B9AA7996h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DCDA second address: D0DCE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DCE0 second address: D0DCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F72B9AA798Dh 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DFBD second address: D0DFC7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F72B8E40BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E156 second address: D0E16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jg 00007F72B9AA7986h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E16E second address: D0E17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jnl 00007F72B8E40BF6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E431 second address: D0E43B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E43B second address: D0E443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E443 second address: D0E453 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007F72B9AA7986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E453 second address: D0E457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E5A6 second address: D0E5AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D156C4 second address: D156CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D156CA second address: D156CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D156CE second address: D156F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C09h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F72B8E40BFAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D156F7 second address: D156FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15A04 second address: D15A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15A0A second address: D15A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15A0E second address: D15A1A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 je 00007F72B8E40BF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15A1A second address: D15A35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B9AA7992h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15A35 second address: D15A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F72B8E40BFCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15A4A second address: D15A4F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15D1D second address: D15D31 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F72B8E40BF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F72B8E40BF8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15D31 second address: D15D37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15D37 second address: D15D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15D3B second address: D15D45 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D162FD second address: D16301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16301 second address: D16317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F72B9AA7990h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16B33 second address: D16B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16B3A second address: D16B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72B9AA7997h 0x00000009 jnc 00007F72B9AA7986h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16B5B second address: D16B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16B5F second address: D16B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F72B9AA7986h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16B72 second address: D16B94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F72B8E40BF6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16B94 second address: D16B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16B9A second address: D16BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16E4C second address: D16E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16E50 second address: D16E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F72B8E40C03h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D16E69 second address: D16E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F72B9AA798Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AED1 second address: D1AED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AED5 second address: D1AEDF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F72B9AA7986h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AEDF second address: D1AEFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jng 00007F72B8E40BF6h 0x0000000d pop edi 0x0000000e jmp 00007F72B8E40BFBh 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AEFE second address: D1AF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F72B9AA7986h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1A511 second address: D1A517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1A517 second address: D1A51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1A51D second address: D1A522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1A66D second address: D1A672 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1A935 second address: D1A93D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AACA second address: D1AACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AACE second address: D1AAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AAD2 second address: D1AADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AADC second address: D1AAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1AAE0 second address: D1AAE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F525 second address: D1F546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F72B8E40C05h 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F546 second address: D1F54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20C41 second address: D20C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F72B8E40BF6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20C4D second address: D20C53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20C53 second address: D20C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20C5D second address: D20C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72B9AA798Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2730E second address: D27313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D27AC3 second address: D27ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B9AA7993h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D27ADC second address: D27AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F72B8E40BF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D27C96 second address: D27C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D27E01 second address: D27E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F72B8E40BFAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F72B8E40C09h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D27E2C second address: D27E64 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F72B9AA7986h 0x00000008 jmp 00007F72B9AA7993h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F72B9AA7996h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D27FB4 second address: D27FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D27FB8 second address: D27FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D27FBC second address: D27FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F72B8E40BF6h 0x0000000e jl 00007F72B8E40BF6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D28DC6 second address: D28DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72B9AA798Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32410 second address: D32414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D32414 second address: D3241F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D31F95 second address: D31FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jno 00007F72B8E40BF6h 0x0000000e jno 00007F72B8E40BF6h 0x00000014 popad 0x00000015 push ecx 0x00000016 jng 00007F72B8E40BF6h 0x0000001c pop ecx 0x0000001d popad 0x0000001e push edi 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D31FB7 second address: D31FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D31FBD second address: D31FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jmp 00007F72B8E40C00h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D31FD6 second address: D31FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D31FDA second address: D31FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49AB1 second address: D49AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D523A7 second address: D523BD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F72B8E40BFEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D523BD second address: D523E2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F72B9AA7986h 0x00000008 jmp 00007F72B9AA7995h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53CAE second address: D53CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F72B8E40BF6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59F04 second address: D59F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59F08 second address: D59F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5A069 second address: D5A083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F72B9AA7986h 0x0000000e jmp 00007F72B9AA798Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5A1ED second address: D5A1F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D240 second address: D5D244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D244 second address: D5D24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5D24A second address: D5D250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6124A second address: D61250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D61250 second address: D6127C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72B9AA7993h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F72B9AA7990h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6127C second address: D61293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C03h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D61293 second address: D612A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F72B9AA798Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D612A9 second address: D612B9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F72B8E40BF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D612B9 second address: D612BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D612BD second address: D612DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F72B8E40BFBh 0x0000000e pushad 0x0000000f jmp 00007F72B8E40BFBh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D612DF second address: D612E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7DF88 second address: D7DFB2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F72B8E40BF6h 0x00000008 jmp 00007F72B8E40C05h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 ja 00007F72B8E40BF6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7FB37 second address: D7FB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7FB40 second address: D7FB44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7FB44 second address: D7FBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F72B9AA7997h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F72B9AA7988h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jne 00007F72B9AA798Ah 0x0000001b pushad 0x0000001c jmp 00007F72B9AA7992h 0x00000021 jbe 00007F72B9AA7986h 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a pop eax 0x0000002b popad 0x0000002c jmp 00007F72B9AA798Eh 0x00000031 push eax 0x00000032 push edx 0x00000033 push edi 0x00000034 pop edi 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99926 second address: D9993E instructions: 0x00000000 rdtsc 0x00000002 js 00007F72B8E40C0Ah 0x00000008 jmp 00007F72B8E40BFEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9993E second address: D99946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99946 second address: D9994A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9994A second address: D9995E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F72B9AA79A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9995E second address: D99962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D98894 second address: D988AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F72B9AA7990h 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99042 second address: D99046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D991AB second address: D991B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99470 second address: D99476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D995B3 second address: D995D6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F72B9AA7986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F72B9AA7991h 0x0000000f js 00007F72B9AA798Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D995D6 second address: D995ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 jmp 00007F72B8E40BFDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D995ED second address: D99607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F72B9AA7995h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99607 second address: D99613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F72B8E40BF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99613 second address: D99617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9D737 second address: D9D761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F72B8E40C08h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jnp 00007F72B8E40BF6h 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9D81F second address: D9D838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F72B9AA7992h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9D838 second address: D9D83C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DCB2 second address: D9DCB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DCB6 second address: D9DCE3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 or dword ptr [ebp+122D2537h], ecx 0x0000000e or dword ptr [ebp+122D25D4h], ecx 0x00000014 push dword ptr [ebp+12464262h] 0x0000001a mov dx, 1AD2h 0x0000001e push 15991B00h 0x00000023 push eax 0x00000024 push edx 0x00000025 push esi 0x00000026 jc 00007F72B8E40BF6h 0x0000002c pop esi 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DCE3 second address: D9DCF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F72B9AA798Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0F14 second address: DA0F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0F1A second address: DA0F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0F1E second address: DA0F38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0F38 second address: DA0F42 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F72B9AA798Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0F42 second address: DA0F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F72B8E40C07h 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F72B8E40BF6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0F68 second address: DA0F96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B9AA798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F72B9AA798Ah 0x0000000f jmp 00007F72B9AA7992h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0D07 second address: 2EB0D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0D0B second address: 2EB0D1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B9AA798Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0D1E second address: 2EB0D7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f jmp 00007F72B8E40BFEh 0x00000014 test ecx, ecx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F72B8E40BFEh 0x0000001d and si, 1A78h 0x00000022 jmp 00007F72B8E40BFBh 0x00000027 popfd 0x00000028 popad 0x00000029 jns 00007F72B8E40C4Bh 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0D7F second address: 2EB0D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0D83 second address: 2EB0D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0D87 second address: 2EB0D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0D8D second address: 2EB0DB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0DB2 second address: 2EB0DB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB0DB8 second address: 2EB0DED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax+00000860h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F72B8E40C07h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB4CD9 second address: CB4CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E0022 second address: 50E009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F72B8E40C07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F72B8E40C09h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov si, 0443h 0x00000015 pushfd 0x00000016 jmp 00007F72B8E40C08h 0x0000001b adc cx, 6108h 0x00000020 jmp 00007F72B8E40BFBh 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c call 00007F72B8E40BFBh 0x00000031 pop esi 0x00000032 movsx edx, cx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E009D second address: 50E00D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 04A4EE14h 0x00000008 pushfd 0x00000009 jmp 00007F72B9AA798Dh 0x0000000e or cx, CAD6h 0x00000013 jmp 00007F72B9AA7991h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov edx, dword ptr [ebp+0Ch] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B03D45 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CA565B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CD0EFE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CAF559 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D3471C instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7760

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: file.exe, file.exe, 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000004.00000003.1321868855.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.1598907170.000000000113E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.1598907170.0000000001193000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.1598907170.0000000001193000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 4_2_00AE00D0 LdrInitializeThunk,

4_2_00AE00D0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmp

Binary or memory string: CProgram Manager

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	223 System Information Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
steamcommunity.com	0%	Virustotal	Browse
sergei-esenin.com	18%	Virustotal	Browse
eaglepawnoy.store	19%	Virustotal	Browse
dissapoiznw.store	22%	Virustotal	Browse
bathdoomgaz.store	22%	Virustotal	Browse
spirittunek.store	22%	Virustotal	Browse
licendfilteo.site	16%	Virustotal	Browse
studennotediw.store	18%	Virustotal	Browse
clearancek.site	18%	Virustotal	Browse
mobbipenju.store	22%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://store.steampowered.com/news/	0%	URL Reputation	safe
https://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://store.steampowered.com/stats/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://store.steampowered.com/steam_refunds/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://store.steampowered.com/points/shop/	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://store.steampowered.com/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	0%	URL Reputation	safe
https://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	0%	URL Reputation	safe
https://store.steampowered.com/about/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/badges	100%	URL Reputation	malware
https://steamcommunity.com/my/wishlist/	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	0%	Virustotal		Browse
https://sergei-esenin.com/	0%	Virustotal		Browse
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	0%	Virustotal		Browse
https://www.cloudflare.com/learning/access-management/phishing-attack/	0%	Virustotal		Browse
https://steamcommunity.com/discussions/	0%	Virustotal		Browse
https://steamcommunity.com/market/	0%	Virustotal		Browse
https://sergei-esenin.com/apiM	14%	Virustotal		Browse
https://steamcommunity.com/?subsection=broadcasts	0%	Virustotal		Browse
bathdoomgaz.store	22%	Virustotal		Browse
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	0%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	0%	Virustotal		Browse
studennotediw.store	18%	Virustotal		Browse
https://steamcommunity.com/workshop/	0%	Virustotal		Browse
https://eaglepawnoy.store:443/api	22%	Virustotal		Browse
clearancek.site	18%	Virustotal		Browse
dissapoiznw.store	22%	Virustotal		Browse
spirittunek.store	22%	Virustotal		Browse
licendfilteo.site	16%	Virustotal		Browse
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	0%	Virustotal		Browse
eaglepawnoy.store	19%	Virustotal		Browse
https://sergei-esenin.com:443/apifiles/76561199724331900	9%	Virustotal		Browse
https://www.cloudflare.com/5xx-error-landing	0%	Virustotal		Browse
https://sergei-esenin.com:443/api	19%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
steamcommunity.com	104.102.49.254	true	true	0%, Virustotal, Browse	unknown
sergei-esenin.com	104.21.53.8	true	true	18%, Virustotal, Browse	unknown
eaglepawnoy.store	unknown	unknown	true	19%, Virustotal, Browse	unknown
bathdoomgaz.store	unknown	unknown	true	22%, Virustotal, Browse	unknown
spirittunek.store	unknown	unknown	true	22%, Virustotal, Browse	unknown
licendfilteo.site	unknown	unknown	true	16%, Virustotal, Browse	unknown
studennotediw.store	unknown	unknown	true	18%, Virustotal, Browse	unknown
mobbipenju.store	unknown	unknown	true	22%, Virustotal, Browse	unknown
clearancek.site	unknown	unknown	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	unknown	unknown	true	22%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bathdoomgaz.store	true	22%, Virustotal, Browse	unknown
studennotediw.store	true	18%, Virustotal, Browse	unknown
clearancek.site	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	true	22%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
spirittunek.store	true	22%, Virustotal, Browse	unknown
licendfilteo.site	true	16%, Virustotal, Browse	unknown
eaglepawnoy.store	true	19%, Virustotal, Browse	unknown
mobbipenju.store	true		unknown
https://sergei-esenin.com/api	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/my/wishlist/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.cloudflare.com/learning/access-management/phishing-attack/	file.exe, 00000004.00000003.1321594830.0000000001209000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowU)	file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://help.steampowered.com/en/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/market/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://store.steampowered.com/news/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/	file.exe, 00000004.00000003.1321868855.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000002.1598907170.0000000001193000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://licendfilteo.site:443/apid	file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/apiM	file.exe, 00000004.00000002.1598907170.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse	unknown
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.valvesoftware.com/legal.htm	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/discussions/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/stats/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/steam_refunds/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://steamcommunity.com/workshop/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://eaglepawnoy.store:443/api	file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse	unknown
https://store.steampowered.com/legal/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com/LOu	file.exe, 00000004.00000003.1321868855.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011BD000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/points/shop/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown
https://store.steampowered.com/	file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/learning/access-manMV	file.exe, 00000004.00000003.1321868855.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://www.cloudflare.com/learning/access-man	file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sergei-esenin.com:443/apifiles/76561199724331900	file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse	unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/privacy_agreement/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-error-landing	file.exe, 00000004.00000003.1321594830.0000000001209000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321750221.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.cloudflare.com/5xx-errop	file.exe, 00000004.00000002.1598907170.0000000001193000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sergei-esenin.com:443/api	file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	true	19%, Virustotal, Browse	unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321709069.0000000001208000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/	file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/about/	file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://studennotediw.store:443/api:	file.exe, 00000004.00000002.1598907170.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900/badges	file.exe, 00000004.00000003.1321636669.0000000001200000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000004.00000003.1321728397.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1533037
Start date and time:	2024-10-14 11:02:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@10/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:03:11	API Interceptor	3x Sleep call for process: file.exe modified
06:16:57	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.53.8	Verus.exe	Get hash	malicious	LummaC	Browse
	Executor.exe	Get hash	malicious	LummaC	Browse
	Solara.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SoftWare.exe	Get hash	malicious	LummaC	Browse
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	SecuriteInfo.com.Win32.Evo-gen.11764.10915.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sergei-esenin.com	Verus.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	SoftWare.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(2).exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SoftWare(1).exe	Get hash	malicious	LummaC	Browse	104.21.53.8
steamcommunity.com	loader.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Verus.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Executor.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	Solara.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://puzzlewood.net	Get hash	malicious	Unknown	Browse	104.26.7.189
	http://www.umb-re.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	104.23.26.35
	https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=selin.basaran@digiturk.com.tr	Get hash	malicious	Unknown	Browse	104.21.29.214
	https://narrow-light-alley.glitch.me/public/40.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://7suexjabb.cc.rs6.net/tn.jsp?f=001xE8SRwhigmS1t9Q8hharXEkJMtvyfHXyEtdChqRiKNIU6tHdVYZrXGoe4i5Oj7rJImD0z9FA9Z7Ns4_zzose6K4lQVeh2_tGOuTiXbWZeuXhaxX7ZExtB4Td1A03nBtQqSZ5QuAnpfceJlaAlK8LlVk_IFIQFC0HoZlDVtfYJ4608JDpqDknb8nuq6XfWPT8zPJXPlvUq6JBwLgT2V2rRco8OpMRVpBWXlDFx7Wa6-JLGG4j0T_z6-voVUEFkiL1LCMiOTeo2QIvK4QEL2LvJxl710RO4fN0VaMWVH9l6y0is4HN5Cx1Qqzl3DAZvvAuiLje330c-f-GdQOY-XTh1y0wrZR-jvtH8jZkGl5Vm4F_UxI-aORgSa4SEUcwRQ9lSV5NXig_pDFPkhWhUs1rJDroriPBbNmNa_eacU5P8HamXhTNKnvtjdOfUUzwPzxuQ12d4wDOvzs=&c=UsjVlbhyxWUzaXBilvRA7ixl0RUEg9wKLi4E_LzFtdA_im3u-L0cAA==&ch=uLTh3SIB3Q3_uex37lbJeSd4Xs7ZrX-qKnWJPNBj-ulohMTWcqn3qg==	Get hash	malicious	Unknown	Browse	1.1.1.1
	loader.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=pucom@hdel.co.kr	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	Verus.exe	Get hash	malicious	LummaC	Browse	172.67.140.193
	Snvlerier.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
AKAMAI-ASUS	na.elf	Get hash	malicious	Mirai, Okiru	Browse	104.108.49.254
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	23.197.217.29
	loader.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Verus.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Solara.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	loader.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	Verus.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	Executor.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254
	SoftWare.exe	Get hash	malicious	LummaC	Browse	104.21.53.8 104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_f5b4a6202a53ee73c263cc4c99e711b13cd935ac_85207d7d_60a13b95-4b9d-48c6-9f21-7624c89f66a0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5816726361411275
Encrypted:	false
SSDEEP:	96:PEikZF9cTKwvcsQhMov7JfqQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAjf/VH:P4Z0GwvcD0WbkQzuiFTZ24IO8b2
MD5:	D0CEB8DE5EFF36C5A5800CECF7BE550F
SHA1:	74AA7EE99A218F6E607B21F9886497BF44E79333
SHA-256:	D4A7CEBFBE98CD684415F22BF1AE501584AF09C055039CACBF37DD05E7A82D73
SHA-512:	2091319DAF1DBD3D3B2D362C99132210C6A1517A3B166D766D39BEB9A96C6F5553948E9E18A37571F4CF771A58F50E6C39FAA2C2811FEE6A6F249FE0C8C0F837
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.7.0.1.9.6.6.9.9.9.4.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.7.0.2.0.0.9.1.8.7.0.1.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.a.1.3.b.9.5.-.4.b.9.d.-.4.8.c.6.-.9.f.2.1.-.7.6.2.4.c.8.9.f.6.6.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.f.b.2.6.7.c.-.2.4.0.0.-.4.0.5.9.-.8.4.7.7.-.3.1.d.e.9.0.c.a.4.0.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.8.-.0.0.0.1.-.0.0.1.4.-.a.f.d.6.-.0.5.e.4.1.7.1.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.5.0.a.3.2.5.3.1.b.0.9.0.9.9.c.a.a.4.7.c.e.3.1.7.a.8.9.c.4.d.d.3.8.b.0.a.7.f.2.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3470.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8316
Entropy (8bit):	3.6842295844188437
Encrypted:	false
SSDEEP:	192:R6l7wVeJRCv6g6YNtSUepgmfh9pr789b6EsfS+m:R6lXJ06g6Y3SUepgmfh863fy
MD5:	B2D2A676DDFE8300D1ECA7335EA81456
SHA1:	36DDF276FDE54159D03A331316E3A3EA4068A2D6
SHA-256:	2D9971C71C4DE8B36074D00D89CF8D0BA1C19EAF68524266FD5A444D8F059346
SHA-512:	8EA5132E45C96FA9445CDB6E9E00C12E99DFFDA0C4FFB7E5C492CB354BF74F09BCE132987CCDD82AEC3215D5789B80B2D2B6EDBBE148D039E63109BABD826970
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3490.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4571
Entropy (8bit):	4.4416444986680865
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg77aI9rwWpW8VYoYm8M4JTEFBV+q8aGcMe3d:uIjf5I7NJ7V8JeMcMe3d
MD5:	378437355F2AF79E72F3C2F282044FFF
SHA1:	A70FA4178D6C3D088003B0384497B45F0BC3D070
SHA-256:	139F753BBECD14C381BBD621C198DC2D1FA771F0740FAD0ECB222F648C6EA0A2
SHA-512:	A4CAC20D9A3ABCD5DDA7C61578581C3F55B3E0D9D9E8411EC942F0E43730268F27E6A4D670DC10C015B24F8728040F69C455E2174D6114B85C4AF32E98CE868E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542886" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\WER24A0.tmp.WERDataCollectionStatus.txt

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4790
Entropy (8bit):	3.2536549940520088
Encrypted:	false
SSDEEP:	96:pwpIilkXkkXwkynEuWy0QT0QV0Qgk0QXJ0Q00Q+MEFgbXTaszeuzSzbxGQI5lmcW:pAlR+u+9SoeyOkNa
MD5:	8D6D2B4A89242331E92918509670EBF0
SHA1:	4323D589AA0339ECCAE03E3F50EF043E822CE2AA
SHA-256:	BA55A8BB1AF769A63229D0C16C87CB9B5B202FA7947395FF92DB1CC2B93DB131
SHA-512:	600A61E391ABEB5C63239522214B412D965917B7CBA8D26C502148E60C7CE907ABD8376C77FDBAE27AE407376D10FD300DE40B93B1282B0FF3AC7FEBFCA44A44
Malicious:	false
Reputation:	low
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .6.9.8.2.4. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .4.6.0.3.4. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .3.6. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .2.9.9.5.2. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .4.3.8.1.2.4.9.6. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . .

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416520369791879
Encrypted:	false
SSDEEP:	6144:ncifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN85+:ci58oSWIZBk2MM6AFBqo
MD5:	B905ABDE3599324528DA12F01E7E6884
SHA1:	6B063B648782C8050673776C809D319DE864916A
SHA-256:	BC394E2585165F6E5B89A0790D3950602E5A99C33B4D84A80D84305A3BBFE1A8
SHA-512:	CCF047C2C8D5D5BB5341936A44B33BD20C7E8E5A75C8AC158B89409E3AECEABF07B72DB8614D13053EA1F31677C416280F90504EBD85D706B916FFE13F79D364
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.78.................................................................................................................................................................................................................................................................................................................................................C./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.529077850939505
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'963'456 bytes
MD5:	b7c6caceb7f0ff55a6d276ef2d4505af
SHA1:	b50a32531b09099caa47ce317a89c4dd38b0a7f2
SHA256:	8c67a0c7241778a14e218933a14a80797a45fca028aff527b42b2f6192a68387
SHA512:	0393058da2a88f4d3c23d32277f6366b4fc68dd873c887b4d006057022ec9e087f4be3091b11a6befc88633395634a17f5105e7bf36dfa1d22026cdde967720d
SSDEEP:	49152:St1I257awrRSvE/kJDZ096+OFxkokD86Wo2ILiTYWvXtZop+/s+bv:XE7awrRWE/kJDZ096+OPMD8X6LiTTPtT
TLSH:	0CD54CAAB50972CFE48F27B89017CD42595D06F94B104CCB982D78BABDA3CC53DB6C25
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................0...........@...........................0.....%.....@.................................W...k..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x70b000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F72B996AAAAh
movhps xmm5, qword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
inc dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x5d000	0x25e00	5cb7bdb4555f93ed9b313a8f06afe31d	False	0.9995423370462047	data	7.982810470141253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5e000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f000	0x1000	0x200	fe72def8b74193a84232a780098a7ce0	False	0.150390625	data	1.04205214219471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
dobewrry	0x60000	0x2aa000	0x2aa000	4bca492f5f747e9da5cf90f79eb0a86d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
uiaqfnoj	0x30a000	0x1000	0x600	5317057dba8c33b33f30e77648facfc5	False	0.5950520833333334	data	5.112084333461452	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x30b000	0x3000	0x2200	be09b864d4d9c02a450786a62f45860f	False	0.0857077205882353	DOS executable (COM)	1.0537364740183492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T11:03:11.568759+0200	2056471	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)	1	192.168.2.7	55665	1.1.1.1	53	UDP
2024-10-14T11:03:11.616617+0200	2056485	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)	1	192.168.2.7	50482	1.1.1.1	53	UDP
2024-10-14T11:03:11.628627+0200	2056483	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)	1	192.168.2.7	61034	1.1.1.1	53	UDP
2024-10-14T11:03:11.640630+0200	2056481	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)	1	192.168.2.7	52001	1.1.1.1	53	UDP
2024-10-14T11:03:11.653259+0200	2056479	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)	1	192.168.2.7	57236	1.1.1.1	53	UDP
2024-10-14T11:03:11.668185+0200	2056477	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)	1	192.168.2.7	51562	1.1.1.1	53	UDP
2024-10-14T11:03:11.686786+0200	2056475	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)	1	192.168.2.7	63975	1.1.1.1	53	UDP
2024-10-14T11:03:11.800129+0200	2056473	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)	1	192.168.2.7	51654	1.1.1.1	53	UDP
2024-10-14T11:03:13.680682+0200	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49699	104.102.49.254	443	TCP
2024-10-14T11:03:14.459626+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49701	104.21.53.8	443	TCP
2024-10-14T11:03:14.459626+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49701	104.21.53.8	443	TCP
2024-10-14T11:03:15.541991+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49707	104.21.53.8	443	TCP
2024-10-14T11:03:15.541991+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49707	104.21.53.8	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 11:03:11.925088882 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:11.925138950 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:11.925266981 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:11.951106071 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:11.951155901 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:12.697824001 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:12.697920084 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:12.930027962 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:12.930061102 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:12.930936098 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:12.973983049 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.209891081 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.255403042 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.680783987 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.680840015 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.680864096 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.680901051 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.680917025 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.680932045 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.680943966 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.680959940 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.680980921 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.681004047 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.818034887 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.818094015 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.818288088 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.818289042 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.818361044 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.818429947 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.825016975 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.825095892 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.825124025 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.825208902 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.825223923 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.825284958 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.825339079 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.826143980 CEST	49699	443	192.168.2.7	104.102.49.254
Oct 14, 2024 11:03:13.826175928 CEST	443	49699	104.102.49.254	192.168.2.7
Oct 14, 2024 11:03:13.841752052 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:13.841783047 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:13.841871023 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:13.842657089 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:13.842673063 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.326862097 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.327282906 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.328744888 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.328749895 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.329134941 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.330966949 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.330966949 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.331053019 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.459703922 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.459805012 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.459898949 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.459971905 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.460138083 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.460230112 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.460597992 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.460777998 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.460777998 CEST	49701	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.460788965 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.460797071 CEST	443	49701	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.592235088 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.592293978 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:14.592447996 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.592781067 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:14.592798948 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:15.068820000 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:15.070534945 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:15.070534945 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:15.070561886 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:15.071377993 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:15.073215008 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:15.073215008 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:15.073308945 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:15.542407990 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:15.542829990 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:15.542962074 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:15.594626904 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:15.594657898 CEST	443	49707	104.21.53.8	192.168.2.7
Oct 14, 2024 11:03:15.594665051 CEST	49707	443	192.168.2.7	104.21.53.8
Oct 14, 2024 11:03:15.594671965 CEST	443	49707	104.21.53.8	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 11:03:11.568758965 CEST	55665	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.578018904 CEST	53	55665	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:11.616616964 CEST	50482	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.626558065 CEST	53	50482	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:11.628627062 CEST	61034	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.638441086 CEST	53	61034	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:11.640630007 CEST	52001	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.651756048 CEST	53	52001	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:11.653259039 CEST	57236	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.662905931 CEST	53	57236	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:11.668184996 CEST	51562	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.678180933 CEST	53	51562	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:11.686785936 CEST	63975	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.696476936 CEST	53	63975	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:11.800128937 CEST	51654	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.811631918 CEST	53	51654	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:11.841077089 CEST	61863	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:11.849689007 CEST	53	61863	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:13.829816103 CEST	61452	53	192.168.2.7	1.1.1.1
Oct 14, 2024 11:03:13.840518951 CEST	53	61452	1.1.1.1	192.168.2.7
Oct 14, 2024 11:03:53.246499062 CEST	53	59993	162.159.36.2	192.168.2.7
Oct 14, 2024 11:03:53.758929014 CEST	53	60904	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 11:03:11.568758965 CEST	192.168.2.7	1.1.1.1	0x9eff	Standard query (0)	clearancek.site	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.616616964 CEST	192.168.2.7	1.1.1.1	0xdadd	Standard query (0)	mobbipenju.store	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.628627062 CEST	192.168.2.7	1.1.1.1	0xc5c4	Standard query (0)	eaglepawnoy.store	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.640630007 CEST	192.168.2.7	1.1.1.1	0xc29b	Standard query (0)	dissapoiznw.store	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.653259039 CEST	192.168.2.7	1.1.1.1	0x83db	Standard query (0)	studennotediw.store	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.668184996 CEST	192.168.2.7	1.1.1.1	0x619d	Standard query (0)	bathdoomgaz.store	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.686785936 CEST	192.168.2.7	1.1.1.1	0xb3f6	Standard query (0)	spirittunek.store	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.800128937 CEST	192.168.2.7	1.1.1.1	0x472	Standard query (0)	licendfilteo.site	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.841077089 CEST	192.168.2.7	1.1.1.1	0xd58c	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:13.829816103 CEST	192.168.2.7	1.1.1.1	0x744f	Standard query (0)	sergei-esenin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 11:03:11.578018904 CEST	1.1.1.1	192.168.2.7	0x9eff	Name error (3)	clearancek.site	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.626558065 CEST	1.1.1.1	192.168.2.7	0xdadd	Name error (3)	mobbipenju.store	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.638441086 CEST	1.1.1.1	192.168.2.7	0xc5c4	Name error (3)	eaglepawnoy.store	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.651756048 CEST	1.1.1.1	192.168.2.7	0xc29b	Name error (3)	dissapoiznw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.662905931 CEST	1.1.1.1	192.168.2.7	0x83db	Name error (3)	studennotediw.store	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.678180933 CEST	1.1.1.1	192.168.2.7	0x619d	Name error (3)	bathdoomgaz.store	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.696476936 CEST	1.1.1.1	192.168.2.7	0xb3f6	Name error (3)	spirittunek.store	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.811631918 CEST	1.1.1.1	192.168.2.7	0x472	Name error (3)	licendfilteo.site	none	none	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:11.849689007 CEST	1.1.1.1	192.168.2.7	0xd58c	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:13.840518951 CEST	1.1.1.1	192.168.2.7	0x744f	No error (0)	sergei-esenin.com		104.21.53.8	A (IP address)	IN (0x0001)	false
Oct 14, 2024 11:03:13.840518951 CEST	1.1.1.1	192.168.2.7	0x744f	No error (0)	sergei-esenin.com		172.67.206.204	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sergei-esenin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	104.102.49.254	443	7576	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:03:13 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-10-14 09:03:13 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Mon, 14 Oct 2024 09:03:13 GMT Content-Length: 34837 Connection: close Set-Cookie: sessionid=42a5f93178e54f41e8bcf130; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-10-14 09:03:13 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-10-14 09:03:13 UTC	16384	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
2024-10-14 09:03:13 UTC	3768	IN	Data Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 Data Ascii: <div class="profile_summary_footer"><span data-panel="{"focusable":true,"clickOnActivate":true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
2024-10-14 09:03:13 UTC	171	IN	Data Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	104.21.53.8	443	7576	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:03:14 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sergei-esenin.com
2024-10-14 09:03:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-14 09:03:14 UTC	555	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:03:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OVnfhxm770B5OTK3sr4%2FOMc02DOBsFyV%2BwWuFp2z4tzzYkTcXzvxDuyhcdgCONGsr1uN7mumLML%2BCRnDJXVKggIk1X8GL834kNA0E%2BU7in2WlUGqvpioNQwyodvoBPR7C7VQOQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d266523084a43fb-EWR
2024-10-14 09:03:14 UTC	814	IN	Data Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2024-10-14 09:03:14 UTC	1369	IN	Data Raw: 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 Data Ascii: les/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('
2024-10-14 09:03:14 UTC	1369	IN	Data Raw: 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 Data Ascii: agement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <i
2024-10-14 09:03:14 UTC	889	IN	Data Raw: 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 Data Ascii: <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="b
2024-10-14 09:03:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49707	104.21.53.8	443	7576	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-14 09:03:15 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=AqhxCjlq_E3AgO9n.7dMsBL7zg.kGWAWYSyOi_3alMM-1728896594-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: sergei-esenin.com
2024-10-14 09:03:15 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
2024-10-14 09:03:15 UTC	835	IN	HTTP/1.1 200 OK Date: Mon, 14 Oct 2024 09:03:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=47f0s1brka4d99rmtv1137dkg4; expires=Fri, 07 Feb 2025 02:49:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UWxVE6M8NyRecs22wx95PbUUa%2FpW%2BSztonTFkD2bmm1ass8YcGsvJ%2BaCTJt576r9%2FpEBZ94ag%2BbDickQjc45nmyl91nE%2BwP%2BJjcPiWduzoGMKA9O5DB5IzmYQIzfppj09XoPKQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d266527b9d919cf-EWR alt-svc: h3=":443"; ma=86400
2024-10-14 09:03:15 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-10-14 09:03:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	4
Start time:	05:03:09
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xaa0000
File size:	2'963'456 bytes
MD5 hash:	B7C6CACEB7F0FF55A6D276EF2D4505AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:03:16
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7576 -s 1940
Imagebase:	0xaf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	35.4%
Total number of Nodes:	206
Total number of Limit Nodes:	16

Executed Functions

Function 00AAFCA0 Relevance: 6.6, Strings: 5, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

V, xrefs: 00AAFEDC
J|BJ, xrefs: 00AB000D
VY^_, xrefs: 00AAFDFF
AqhxCjlq_E3AgO9n.7dMsBL7zg.kGWAWYSyOi_3alMM-1728896594-0.0.1.1-/api, xrefs: 00AB0137, 00AB0154
t, xrefs: 00AAFCBE

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: AqhxCjlq_E3AgO9n.7dMsBL7zg.kGWAWYSyOi_3alMM-1728896594-0.0.1.1-/api$J|BJ$V$VY^_$t
API String ID: 0-2979357158
Opcode ID: 85822ee3c0a7d80bd73f5c995c6b97371ef357610c927d36986b7ba59ed289e5
Instruction ID: b93ddc44e6849382d27be7ef245efaf447054af36c5043887893b6af8f82f615
Opcode Fuzzy Hash: 85822ee3c0a7d80bd73f5c995c6b97371ef357610c927d36986b7ba59ed289e5
Instruction Fuzzy Hash: 52D1877450C3809FD315EF58D490AAFBBE5AB96B44F18892CF4C98B252C336CD49DB92

Function 00AB049B Relevance: .3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc580823d8be391435c357870d0f7789e6f567ffbfa3a91968adb8a84e11f8e4
Instruction ID: 93e61609c4591aa0cab660fc951db49ed54357e7749ad1ef8656b7e3e8b8d639
Opcode Fuzzy Hash: dc580823d8be391435c357870d0f7789e6f567ffbfa3a91968adb8a84e11f8e4
Instruction Fuzzy Hash: 83918C75200B00CFD724CF65E894A27B7F6FF89314B118A6DE8568BAA2D731F816CB50

Function 00AB0228 Relevance: .2, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59361bfd83f084b68bf83b60c0d59c4f97376b67d5e54aa7717fd3b79a26aa46
Instruction ID: e96e74e0bbd611048f7180db570d30714145a1cd1fe83771df66f09ff82ba255
Opcode Fuzzy Hash: 59361bfd83f084b68bf83b60c0d59c4f97376b67d5e54aa7717fd3b79a26aa46
Instruction Fuzzy Hash: 44716B74200B40DFD724CFA1E894B27B7FAFF89315F108969E9568B662D731E816CB50

Function 00AAD110 Relevance: .2, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fdd580cb0d936c2005e6406d665843482bae2d601d78ff3c98d13075bc783f8
Instruction ID: 3180595159d00c9b68ce7be301fbb98971db2c706ad7019217144f425715e475
Opcode Fuzzy Hash: 4fdd580cb0d936c2005e6406d665843482bae2d601d78ff3c98d13075bc783f8
Instruction Fuzzy Hash: 2641427440D380ABC701AB68D284A2EFBF5AF97704F148C1CE5C59B692C33AD814DB67

Function 00AE99D0 Relevance: .1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9eff71ab1bf47cd8ebb81cc03ba349e70a7abc58f68f4050946515bd9134bd5
Instruction ID: cb754e59e3b0ba6ce97dd06d3cd0de2fe329f8dbb16c22dc742b9194a939557c
Opcode Fuzzy Hash: b9eff71ab1bf47cd8ebb81cc03ba349e70a7abc58f68f4050946515bd9134bd5
Instruction Fuzzy Hash: A0418274608380AFD714DB56D990B2BB7F6EF85754F54882CF58597251D331EC02CB52

Function 00AE00D0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cbf2ed76a800fa5fc6030ff0b6c9ff89f1af1789fe71090c89ca86ff5befe9
Instruction ID: 6f40a96d66e927e934bf989b4057074d181aae96f6c787d598269bc88de8229e
Opcode Fuzzy Hash: 49cbf2ed76a800fa5fc6030ff0b6c9ff89f1af1789fe71090c89ca86ff5befe9
Instruction Fuzzy Hash: 12210B3250C3904FC7195E2A989062FB7E2DBC5310F1A863EE9A68F381D5758DC09392

Function 00AE3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00AE32A6

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3327a40e94410e7b4d9d8f995800792e459f800f887161cd8cd7bb071df844c1
Instruction ID: a879fbbd7da57a264ae810a53187de408058abad638bd0d5c8976a5cf1edcf61
Opcode Fuzzy Hash: 3327a40e94410e7b4d9d8f995800792e459f800f887161cd8cd7bb071df844c1
Instruction Fuzzy Hash: B0016D3550D280DBC711EF98E849A2ABBE8EF5A700F05491CE5C58B361D335DD60DBA2

Function 00AE5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00AE98C0,005C003F,00000002,00000018,?), ref: 00AE5BDE

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00AB2F6F Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00AB2F81

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 52fc428a25a718a2d5020d3c93a677fd321ebbda0a25877ee564464199e21b00
Instruction ID: 5918dfefff25553ec0a8810a7f06cb4b82bb930e4bf707347d421fb77aa9b49b
Opcode Fuzzy Hash: 52fc428a25a718a2d5020d3c93a677fd321ebbda0a25877ee564464199e21b00
Instruction Fuzzy Hash: AEC092303C9301F5F03006986C13F0422045302F21F700320F3387C1D48CD07102C51E

Function 00AB2F10 Relevance: 1.3, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00AB2F60

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5567bee4216fbf2a485d7a329b8a3dfc11bbc17b69cc5f64b3a7a1dcd6cc2326
Instruction ID: 637598230264e1e8928ce9aba5f9b36a1fe06d70aa480524cd0e7b1fafad3037
Opcode Fuzzy Hash: 5567bee4216fbf2a485d7a329b8a3dfc11bbc17b69cc5f64b3a7a1dcd6cc2326
Instruction Fuzzy Hash: DBF08965D107006BD630BA3D9D0B7173D78A702260F400729ECE18B3C4F620A81D8BD7

Non-executed Functions

Function 00AC9510 Relevance: 20.4, Strings: 16, Instructions: 427COMMON

Download Yara Rule

Strings

O+f), xrefs: 00AC9634, 00AC963D
T#a-, xrefs: 00AC9AE3
8;, xrefs: 00AC9B13
L3Y=, xrefs: 00AC9B03
2A"_, xrefs: 00AC9980
G+X5, xrefs: 00AC9AF3
,A&C, xrefs: 00AC982E
pq, xrefs: 00AC99E0
!E4G, xrefs: 00AC9836
?M0K, xrefs: 00AC9968
;IJK, xrefs: 00AC983E
z=Q?, xrefs: 00AC9826
B7U1, xrefs: 00AC9AFB
X/R), xrefs: 00AC9AEB
B?Q9, xrefs: 00AC9B0B
G'M!, xrefs: 00AC9ADB

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: !E4G$,A&C$2A"_$8;$;IJK$?M0K$B7U1$B?Q9$G'M!$G+X5$L3Y=$O+f)$T#a-$X/R)$pq$z=Q?
API String ID: 0-655414846
Opcode ID: ef780b1b256427b45d68c90f3d5754d3518599368024bd94f3a9bdb4ec614638
Instruction ID: 20e1664570c840f3a39d92385978dd118cb0d7ff19b2158c6cc99af30cb3dfa6
Opcode Fuzzy Hash: ef780b1b256427b45d68c90f3d5754d3518599368024bd94f3a9bdb4ec614638
Instruction Fuzzy Hash: A4F150B4518380ABD310DF55D985A2BBBF4FB86B44F044D1CF4D99B252D334DA09CBA6

Function 00ACFD10 Relevance: 5.7, Strings: 4, Instructions: 667COMMON

Download Yara Rule

Strings

m1s3, xrefs: 00ACFEC3, 00ACFECB
uvw, xrefs: 00ACFE95
NA_I, xrefs: 00AD036D
:, xrefs: 00AD0087

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: :$NA_I$m1s3$uvw
API String ID: 0-3973114637
Opcode ID: 59f1bdd9c24a1f959bd3626b2e9f7458fd0758c29acab3df1143fc1c41f4f808
Instruction ID: 3b87cfeda1f871cc3da74d78cbe143d2dd3283f6cffd1784617b10042dc275af
Opcode Fuzzy Hash: 59f1bdd9c24a1f959bd3626b2e9f7458fd0758c29acab3df1143fc1c41f4f808
Instruction Fuzzy Hash: 0032B9B0508381DFD311EF69D880B2ABBE1AB8A354F144A6DF5D68B3A2D335D905CF52

Function 00AB3BE2 Relevance: 5.4, Strings: 4, Instructions: 431COMMON

Download Yara Rule

Strings

;z, xrefs: 00AB3C87
p, xrefs: 00AB3C80
ss, xrefs: 00AB3C79
%*+(, xrefs: 00AB3EC4

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: %*+($;z$p$ss
API String ID: 0-2391135358
Opcode ID: 41656c87623d242bec31579977fb06b2fa423998c89be53a0178d25eed57b45c
Instruction ID: 3385b8d322401d2f09828d73ec75f974e040ceebe4b0c773f89fc44f0e5176cf
Opcode Fuzzy Hash: 41656c87623d242bec31579977fb06b2fa423998c89be53a0178d25eed57b45c
Instruction Fuzzy Hash: 35026CB4810B00DFD760EF25D986756BFF4FB06300F50895DE89A8B696E331E419CBA2

Function 00ACC470 Relevance: 4.2, Strings: 3, Instructions: 419COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00ACC8C3, 00ACC8CB
%*+(, xrefs: 00ACC9E4, 00ACC9ED
~/i!, xrefs: 00ACC537

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: %*+($%*+($~/i!
API String ID: 0-4033100838
Opcode ID: cd6f3ced3228e4f9c935c7b0f488160837c40ae2ea3e523e065c7ac8a92809bf
Instruction ID: 5e6dc9cadad02a5d6e946190326ec57587f2e3538a7c48f1f4eda70e6661b4bd
Opcode Fuzzy Hash: cd6f3ced3228e4f9c935c7b0f488160837c40ae2ea3e523e065c7ac8a92809bf
Instruction Fuzzy Hash: 46E187B5918340DFE320DFA5D881B2BBBF5FB85354F48882CE68987251E735D812CB92

Function 00AA8590 Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

), xrefs: 00AA860C
), xrefs: 00AA8616
IEND, xrefs: 00AA89F0

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 11223ff5500628621a52480b322f7052e7991ab087dfd371d847f195ee79a764
Instruction ID: 1f410df6a750212af6b9b0eed546ff9cc306e03b3f727b0ea5cd61c0a7c35af6
Opcode Fuzzy Hash: 11223ff5500628621a52480b322f7052e7991ab087dfd371d847f195ee79a764
Instruction Fuzzy Hash: A1E1D0B1A083029FE310CF28C88572BBBE0BB9A354F14492DE595973C1DB79E915CBC2

Function 00AA35B0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

NaN, xrefs: 00AA360E
Inf, xrefs: 00AA3607

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: b55e44a29094d534e1d1776615fed75330e763dbd08cbb7812ad6ae16e0587c6
Instruction ID: e58267a71daf1c4adca6c242d2ce703d58b2f7415465bf6b06330595b3ab01f7
Opcode Fuzzy Hash: b55e44a29094d534e1d1776615fed75330e763dbd08cbb7812ad6ae16e0587c6
Instruction Fuzzy Hash: 6DD1D472A083119BCB04CF69C88061FBBE5EBC9750F148A2DF999973E0E775DD058B82

Function 00AA5160 Relevance: 1.8, Strings: 1, Instructions: 577COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00AA54C8

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: 3f78d14353569b6de0ceb27d383492ef75088ac4eded698c57a7604a9330eff6
Instruction ID: 173b7e30cc1c0d830459424d03d1fde52c41ab750608476213f5dae4b9e38df0
Opcode Fuzzy Hash: 3f78d14353569b6de0ceb27d383492ef75088ac4eded698c57a7604a9330eff6
Instruction Fuzzy Hash: 0422D3B2E08B428BE7158F39D540326BBA2AFE6304F1D896DE8594B3C1E775DC44C749

Function 00AB6EBF Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00AB6EF3

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: 76d2c5f3e272db843aa4c1bfd2b090b4a01951060dc0b5993fdeac4bfc79ed16
Instruction ID: 225aba99543a08894c02ca0903bfa714ffafae7c7fd13c92d6e396e5485468e9
Opcode Fuzzy Hash: 76d2c5f3e272db843aa4c1bfd2b090b4a01951060dc0b5993fdeac4bfc79ed16
Instruction Fuzzy Hash: D0F1B075A00B01CFD724DF64D981A66B7F6FF89314B248A2DE49787A92EB34F815CB40

Function 00AA7CA4 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

n, xrefs: 00AA7CA7

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: n
API String ID: 0-2013832146
Opcode ID: d6ece1583e4f81533b3ea5cf097a4b4bb6a951cc02eca3b50056e506a59c0374
Instruction ID: b7b48c0b1c0236c340d9322de88551e1a6a64e73fcfa8c20e4ac8e420156f43e
Opcode Fuzzy Hash: d6ece1583e4f81533b3ea5cf097a4b4bb6a951cc02eca3b50056e506a59c0374
Instruction Fuzzy Hash: F702F270515B118FC378CF29C59056ABBF2BF86710BA04A2ED6A78BF91D736B845CB10

Function 00ACCCD0 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00ACCDC3, 00ACCDCB

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 0bcdbc2576e73db4bd8e878c704626c3a491fd2e81ab9b6a71564ea6e13f2727
Instruction ID: 672c5caac4e7b76baa0cbac3a6a5ff807420c7d1ad48950c2ee3f1fd7e3162b0
Opcode Fuzzy Hash: 0bcdbc2576e73db4bd8e878c704626c3a491fd2e81ab9b6a71564ea6e13f2727
Instruction Fuzzy Hash: E1B1E070A083019BD714DF68D880B3BBBF2EF86360F15492CE5CA9B251E335E955CB92

Function 00AAA850 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 00AAA9C3

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 63ee88ffdb8849ed241b297952f74b7286c7b68d0c737033c7973a949c4fcef6
Instruction ID: 2b432e9cb960bd1157c94737ce11bc4d07c5dc0a54b0aa9c898d93bf15c60324
Opcode Fuzzy Hash: 63ee88ffdb8849ed241b297952f74b7286c7b68d0c737033c7973a949c4fcef6
Instruction Fuzzy Hash: 36B119711083819FD325CF28C88061BBBE1AFAA704F444A2DF5D997782D771EA18CB67

Function 00ABD457 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00ABD663, 00ABD66B

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: c25782658e6dbf585c8960d3119258fa9d4ff7bb5fc78486cf208b5aad8e6fa9
Instruction ID: f22d3d62b1273c0d30fe07ef29758530de97123a1eca8f56f831bc515a48cd9d
Opcode Fuzzy Hash: c25782658e6dbf585c8960d3119258fa9d4ff7bb5fc78486cf208b5aad8e6fa9
Instruction Fuzzy Hash: E761C1B1908304DBD720EF98DC52A7AB3B5FF95354F080A28F9858B292F335E911C792

Function 00AE4A40 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00AE4C33, 00AE4C3B

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: f6368e4ebe2df182fbf883de16331c0c11c3c26ecf406151ff3f099b341ab476
Instruction ID: 52e4b568a40a75bd9427cc978c26da7fb663fc986680f7d00aa10993cf509f0c
Opcode Fuzzy Hash: f6368e4ebe2df182fbf883de16331c0c11c3c26ecf406151ff3f099b341ab476
Instruction Fuzzy Hash: 0361E271A083819FD710DF66D890B2ABBEAEBC8314F28891CE5C987291D771EC51CB52

Function 00AAE1A0 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 00AAE333

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081
API String ID: 0-2471034898
Opcode ID: dd9935c1c3f48a0aabd785bb310a979dca89b781fa7cc56d7269a7d7dd76a594
Instruction ID: c522ef4d9dcefff40ecc148ff6ecc51eecac2d13fc520ffb848c0551e9ef7450
Opcode Fuzzy Hash: dd9935c1c3f48a0aabd785bb310a979dca89b781fa7cc56d7269a7d7dd76a594
Instruction Fuzzy Hash: 50511633A196D04BD728C97C4C953AA7A970BA3334F2D876AE9F1CB3E5D65548058390

Function 00AE3920 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00AE39E3, 00AE39EB

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: e2093be4e125a1471ec86c76648574bfcbc65de6940cfd5630c2c1b96caf3a28
Instruction ID: b1da6edc62c005c36d267ff690620c69c9294e4bdd81ba76cf6d179f9287e82f
Opcode Fuzzy Hash: e2093be4e125a1471ec86c76648574bfcbc65de6940cfd5630c2c1b96caf3a28
Instruction Fuzzy Hash: D85190726092809BCB24DF56D998A3EBBE5FF85784F14882CE4C687252D372DD50CB62

Function 00AB1BEE Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

L3, xrefs: 00AB1C3E

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: L3
API String ID: 0-2730849248
Opcode ID: 4def3714d444ee9f7669ce7f7a3b7529c775e83c35eb587ee1e64f262f012e10
Instruction ID: 726ef2d12d41e9fa14bc37dead22a8d1e5e3bbec8c36c31479422c28c9f73004
Opcode Fuzzy Hash: 4def3714d444ee9f7669ce7f7a3b7529c775e83c35eb587ee1e64f262f012e10
Instruction Fuzzy Hash: 544152B40083809BC7149F65C8A4A6FBBF4FF8A314F44891CF5D59B292D736C915CB56

Function 00AB6F91 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00AB703B

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: eda08ce06d3f53478687c3e6ea7123c2b5e1866b227af8e2ea1b574d86cf008b
Instruction ID: 432f1f85c391620533b7a8028ce6701e0a569be1f1998066668aa0d831e50b9d
Opcode Fuzzy Hash: eda08ce06d3f53478687c3e6ea7123c2b5e1866b227af8e2ea1b574d86cf008b
Instruction Fuzzy Hash: EF415971604B04DFD734DFA1D990B2ABBF6FB49700F248819E5869BAA2E371F800CB10

Function 00AE9CE0 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

@, xrefs: 00AE9D30

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: c821ebd19f8f33b8cf4f71a6929c14983a8337e9f8b3bbd9581cb74e2649c2b7
Instruction ID: 321397e2b52e80fad168599042b295fe0d925d7bf0c900641e742a9cbe6f9035
Opcode Fuzzy Hash: c821ebd19f8f33b8cf4f71a6929c14983a8337e9f8b3bbd9581cb74e2649c2b7
Instruction Fuzzy Hash: 76318C709093449BD314EF26D880A2BFBF9FF9A314F14892CE6C497251E375D904CBA6

Function 00AABEB0 Relevance: .9, Instructions: 895COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb29da7d79096bacc6094e4b34e266ec592ef3032653cf8f6be9c20689d955e
Instruction ID: 87e7d708d564582fde468bfd0a9c719c80685e7234ecc08c3a2193ddd39d6042
Opcode Fuzzy Hash: efb29da7d79096bacc6094e4b34e266ec592ef3032653cf8f6be9c20689d955e
Instruction Fuzzy Hash: 3B520831A087118BD725DF18D4402BAF3E1FFDA329F294A2DD9D6972C0E735A851CB86

Function 00AAA300 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6212bf7ef53d90d5c52b7f9dca0e1cd9d1bc5b4f631ca8a0588aaa50f1e087ad
Instruction ID: 7ea446b92ee0afd802c1cb77289085ea01fa5edd1891df2ad5cd459d20bfd718
Opcode Fuzzy Hash: 6212bf7ef53d90d5c52b7f9dca0e1cd9d1bc5b4f631ca8a0588aaa50f1e087ad
Instruction Fuzzy Hash: 4AF1BF756087418FD724CF29C88166BFBE2AFE9300F08882DE4D587791E739E945CB56

Function 00AB4487 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c680908d23c2de8fd92bcb1416fcf5a84bcbfe8f8d678db1c027bc4bccf277d9
Instruction ID: 8489c116afb489f8b0256535228f6d285a25c435ac87ab5e0cd9518b7edb26ed
Opcode Fuzzy Hash: c680908d23c2de8fd92bcb1416fcf5a84bcbfe8f8d678db1c027bc4bccf277d9
Instruction Fuzzy Hash: F7E10EB5601B408FD325CF28D992B97B7E5FF4A704F04886CE4AACB652E735B815CB14

Function 00AAAF10 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0ffa581ae49f987acb9b1bca04b9a9e378426b89f686002d56ea1de386bdc0
Instruction ID: 1f28568f6ed3692b280c580cbac7e10d02d9ffa3477066ba1729e4434c869334
Opcode Fuzzy Hash: ab0ffa581ae49f987acb9b1bca04b9a9e378426b89f686002d56ea1de386bdc0
Instruction Fuzzy Hash: 25C18AB2A587418FC360CF28CC96BABB7E1BF85318F08492DD1D9C7242E778A155CB56

Function 00AB6536 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b722d373128291729227cbb1b701e4a7240d8a07782243578815bb5cb6090d7d
Instruction ID: 9ed218f42b6e021ed14f73c56dfd1bf5e76364db09dee60cf8b6966a84b9ef9a
Opcode Fuzzy Hash: b722d373128291729227cbb1b701e4a7240d8a07782243578815bb5cb6090d7d
Instruction Fuzzy Hash: 4BB113B4500B408FD325CF24DA91B67BBF5AF4A704F14885CE8AA8BB52E775F805CB64

Function 00AEA0D0 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401a9b2f38143ecf05fc84ff3cb91f2b055837b8839a02096f535895fa16686b
Instruction ID: e63f9c068c8a695e7d1bf0f118a57377952c71fd76004eda48156fc5bb3f503f
Opcode Fuzzy Hash: 401a9b2f38143ecf05fc84ff3cb91f2b055837b8839a02096f535895fa16686b
Instruction Fuzzy Hash: 8281B0346087828FD724DF6AC880A2AB7F5FF65740F15896CE586CB261E731EC11CB92

Function 00AB42FC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba20e0b4e90f10f76e4ba8ab63d09ca550c64919aa407c105b6a64cedd42a5bc
Instruction ID: 78d86d2b68b5ff490183a55a6f98076158b1a73e95520238edd73fde3402da16
Opcode Fuzzy Hash: ba20e0b4e90f10f76e4ba8ab63d09ca550c64919aa407c105b6a64cedd42a5bc
Instruction Fuzzy Hash: A781CEB4810B00AFD360EF39DA47797BEF4AB06201F404A1DE4EA97695E7316419CBE2

Function 00ADE8A0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction ID: df87f2d046d59dc6b167e27fee7e2dd9456e9ded7641af5d31b2a5a8ab8b5f8c
Opcode Fuzzy Hash: 53adb1b22930f8a695f789fdc3f4b943ccd6ac5fb5c634955e3c1cdf4e3fec6a
Instruction Fuzzy Hash: 68515DB16087548FE314DF69D49435BBBE1BBC5358F044E2EE4E987390E379DA088B82

Function 00AA5A50 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26207a6bfb081cda6b730947cfca841fdf9da31cd2d8cf64805a2cce3bc85906
Instruction ID: e2f41373b94d81b484a41765709c35cc70aa2801ee00d483362cfe6f09482773
Opcode Fuzzy Hash: 26207a6bfb081cda6b730947cfca841fdf9da31cd2d8cf64805a2cce3bc85906
Instruction Fuzzy Hash: 0651B2B5E047049FC714DF24D890926B7A1FF8A374F15466CE8968B392D731EC42CB96

Function 00AE9B60 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84ed4875f18b76818469fcf0e7b217ec4826ac31da1279ca154da5ea26b6e78
Instruction ID: 61486e806785c324ca68ce2f0970f7590bac66a60faa313d05cd89833c9238a7
Opcode Fuzzy Hash: f84ed4875f18b76818469fcf0e7b217ec4826ac31da1279ca154da5ea26b6e78
Instruction Fuzzy Hash: 1A418E74A08380AFD710EB66D990B2BBBF6EBC5714F64882CF58997251D335EC01CB62

Function 00AB2030 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f94657d1a04952091e787920a8af821a98d89499816c4a9d4ad9829d240e6d6
Instruction ID: 2cef4f398dd2ece10fa89f4561abb5331dd4133272407a68dec24610dece86cf
Opcode Fuzzy Hash: 1f94657d1a04952091e787920a8af821a98d89499816c4a9d4ad9829d240e6d6
Instruction Fuzzy Hash: E9411632A083614FD35CCF2A849437ABBE2ABC5310F09862EE4D68B3D5DA758D45DB81

Function 00AB1E93 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb142e1b74518af73df7aae36e38a6dfc8e2cf369c87737ad871f4bea742c9f
Instruction ID: 37b19c3a77b3af794b7d9d713359cf9c3eacf3efa4190293279a5ab844858797
Opcode Fuzzy Hash: 8bb142e1b74518af73df7aae36e38a6dfc8e2cf369c87737ad871f4bea742c9f
Instruction Fuzzy Hash: 1041F0745083809BD320EB59C894B2EFBF9FB8A344F14491DF6C497292C376E815CB66

Function 00ABD961 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee2aa2c67d2753c31c4e5c133fd449a8ff8d74a0347f955fd4c7f6a0e53fa87
Instruction ID: 06028f30dfee4ebf2ddab51f9e8f937686f3832b549897941fa011617a33c6ed
Opcode Fuzzy Hash: bee2aa2c67d2753c31c4e5c133fd449a8ff8d74a0347f955fd4c7f6a0e53fa87
Instruction Fuzzy Hash: 05419CB16083818BE730DF54C841BABB7B4FF963A5F04496CE48A8BA92E7754941CB53

Function 00AA49A0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee122a49834589fd6e39718d65d0040eca334daf207fc2b6e37478eade29261
Instruction ID: 6490f91975257b6221293d32c88ed6dc8a1fa4fae68bef77b67d845cc1168041
Opcode Fuzzy Hash: 0ee122a49834589fd6e39718d65d0040eca334daf207fc2b6e37478eade29261
Instruction Fuzzy Hash: D731A2316482009FD7149F58D881A2BB7E1EFCE399F18892DF89A9B291D371DC52CB46

Function 00AB0EEC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d2bab09b81a3ede392e68c66d2d1cf1253d4cde899323fe0bd4af956d7230c
Instruction ID: a44d6b23b0febf230d83853bebd7f298c951b20d2fb683a59c81af9af5d87ba1
Opcode Fuzzy Hash: 55d2bab09b81a3ede392e68c66d2d1cf1253d4cde899323fe0bd4af956d7230c
Instruction Fuzzy Hash: 872109B4A0025A9FEB15CFA4CC90FBFBBB5FB4A304F144859E511BB292C735A911CB64

Function 00AE5700 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58905f01cff6822dfb14141c367c6f5333d5c9099a75b5c57d8be078ed00eaee
Instruction ID: 7ae929b3b4a0730e774659410752d298a5f9c75f89a09de29fd271e545697d68
Opcode Fuzzy Hash: 58905f01cff6822dfb14141c367c6f5333d5c9099a75b5c57d8be078ed00eaee
Instruction Fuzzy Hash: 5C119E7191C280EBC701AF69E944A2BBBF5AF96714F058C2CE4C49B211D335D821CB92

Function 00AA6EA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd31ecae1e48a2936c0b83e3a54899e526e80a8732907ea9858535cf2be6c78
Instruction ID: a95e6788e95c3f6ef1c617ea5bb013729a89babb459e6e8b1ee3b4073c277b83
Opcode Fuzzy Hash: cfd31ecae1e48a2936c0b83e3a54899e526e80a8732907ea9858535cf2be6c78
Instruction Fuzzy Hash: 9FF0503E71920A0FA210DEAAE8C483BF3D6D7CA355B191538EE40C3241DE71EC0246D0

Function 00ABC5F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction ID: afd6f86e1ed7dc578beff9a6215ab27dc393fb41cabbec3b70aacfa27007612f
Opcode Fuzzy Hash: d8ebd7708255391ffa87ed53dd5dbf97c7cff7b52fcdad9dabb06971c835301f
Instruction Fuzzy Hash: EB014B72A196204B8308CE3C9C1112ABEE19B86330F158B2EBCFAD73E0D664CD548696

Function 00ABB410 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction ID: 2dbd78034b5bd95dd9fdcac2ed8759b156b8996f811b152480e0d2fb2a3a14ac
Opcode Fuzzy Hash: 809ee23363f840c811a801533be2b64f834fb93f4c5a4ab9cc37b5a2fd812bb4
Instruction Fuzzy Hash: 5CF0ECB16145105BDF32CA559CC0FB7BB9CEB8B354F190436E84557143D2B19845C3F5

Function 00AB1ACD Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 774b41b2b6881cf897a0314f221ccfe19a5edef9374c492d8ae053fc2556282f
Instruction ID: 0ef33c72bd9df38ba5b10b9102ccd1dc1f8904c5b65d8c8eeb84203b0584af12
Opcode Fuzzy Hash: 774b41b2b6881cf897a0314f221ccfe19a5edef9374c492d8ae053fc2556282f
Instruction Fuzzy Hash: 85C01234A2A0408F8204CF84A8E5832A7B8A30A209740A03ADA03FB2A2CA20D4038A09

Function 00AB1A3C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1597637392.0000000000AA1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000004.00000002.1597615087.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597686844.0000000000B00000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597708942.0000000000B0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597730009.0000000000B0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597750356.0000000000B0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1597989405.0000000000C6A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598012014.0000000000C6C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598042941.0000000000C7C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598062270.0000000000C7E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C7F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598082185.0000000000C89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598128502.0000000000C9B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598147810.0000000000C9C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598171962.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598189917.0000000000CBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598208919.0000000000CC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598229024.0000000000CCB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598247978.0000000000CCC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598265436.0000000000CCE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598289700.0000000000CE6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598313341.0000000000CEC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598335517.0000000000CED000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598356122.0000000000CF2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598383974.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598409199.0000000000D02000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598432836.0000000000D0A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598451228.0000000000D0B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598473270.0000000000D0C000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598495704.0000000000D0F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598517109.0000000000D18000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598546589.0000000000D21000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598567355.0000000000D28000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598587569.0000000000D2C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598608851.0000000000D3B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D3C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598628933.0000000000D6B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598688052.0000000000D80000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598714683.0000000000D81000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598738737.0000000000D95000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D96000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598761650.0000000000D9D000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598804140.0000000000DAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1598822652.0000000000DAB000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce7cd31cde70e3059becf148f71daa4dac588f9be5327a9483f79756473e5fc
Instruction ID: e8ed50b45bec1020fa9f6ce320d8c2af101a21a9843deae4557233e89d366c03
Opcode Fuzzy Hash: 2ce7cd31cde70e3059becf148f71daa4dac588f9be5327a9483f79756473e5fc
Instruction Fuzzy Hash: 26C04C34A6A0848E8244CEC5A8E1471A3BD9306208750703A9A03EB2A2C560D4068609

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_f5b4a6202a53ee73c263cc4c99e711b13cd935ac_85207d7d_60a13b95-4b9d-48c6-9f21-7624c89f66a0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3470.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3490.tmp.xml

C:\Users\user\AppData\Local\Temp\WER24A0.tmp.WERDataCollectionStatus.txt

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
file.exe

Function 00AAFCA0 Relevance: 6.6, Strings: 5, Instructions: 373
COMMON

Function 00AB049B Relevance: .3, Instructions: 264
COMMON

Function 00AB0228 Relevance: .2, Instructions: 218
COMMON

Function 00AAD110 Relevance: .2, Instructions: 168
COMMON

Function 00AE99D0 Relevance: .1, Instructions: 143
COMMON

Function 00AE3220 Relevance: 1.6, APIs: 1, Instructions: 59
memoryCOMMON

Function 00AE5BB0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00AB2F6F Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Function 00AB2F10 Relevance: 1.3, APIs: 1, Instructions: 33
COMMON