Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562030
MD5:	8453f1d8df8f15f1bbc160bd225b7df3
SHA1:	4b62adaf743ed29ba865c424d24f73259fd08d5f
SHA256:	52eada2c59ecea03387a3b6fa6a1e557cd5f32ebfc4f478c2e6800f56e25eef0
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 320 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8453F1D8DF8F15F1BBC160BD225B7DF3)

cleanup

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T05:46:21.953434+0100	2028371	3	Unknown Traffic	192.168.2.7	49705	104.21.88.250	443	TCP
2024-11-25T05:46:23.939996+0100	2028371	3	Unknown Traffic	192.168.2.7	49707	104.21.88.250	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T05:46:22.681227+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49705	104.21.88.250	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T05:46:22.681227+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49705	104.21.88.250	443	TCP

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic	DNS traffic detected: DNS query: frogs-severz.sbs

Source: unknown

Source: file.exe, 00000005.00000003.1345252759.000000000173F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346505388.0000000001742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftb
Source: file.exe, 00000005.00000003.1345252759.000000000174A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346505388.000000000174A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346187098.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/
Source: file.exe, 00000005.00000003.1345252759.000000000174A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346505388.000000000174A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000003.1345190059.0000000001751000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346505388.0000000001756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api
Source: file.exe, 00000005.00000002.1346187098.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apin
Source: file.exe, 00000005.00000003.1345252759.000000000174A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346505388.000000000174A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/w

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.7:49705 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E69030	5_2_00E69030
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E389A0	5_2_00E389A0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E3CF05	5_2_00E3CF05
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E6B8E0	5_2_00E6B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E398F0	5_2_00E398F0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E6F8D0	5_2_00E6F8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E3E0D8	5_2_00E3E0D8
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884	5_2_00FFB884
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E50870	5_2_00E50870
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E34040	5_2_00E34040
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E36840	5_2_00E36840
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E6C040	5_2_00E6C040
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00EF3056	5_2_00EF3056
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F969DB	5_2_00F969DB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E641D0	5_2_00E641D0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E361A0	5_2_00E361A0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E3E970	5_2_00E3E970
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F1413B	5_2_00F1413B
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FF82F1	5_2_00FF82F1
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E34AC0	5_2_00E34AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E35AC9	5_2_00E35AC9
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F712C6	5_2_00F712C6
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0100CB35	5_2_0100CB35
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F67AB4	5_2_00F67AB4
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_01005BBB	5_2_01005BBB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F76A05	5_2_00F76A05
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E39210	5_2_00E39210
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E3B210	5_2_00E3B210
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FA33F5	5_2_00FA33F5
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E32B80	5_2_00E32B80
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E4FB60	5_2_00E4FB60
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E4DB30	5_2_00E4DB30
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E624E0	5_2_00E624E0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E36CC0	5_2_00E36CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFD4D5	5_2_00FFD4D5
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E394D0	5_2_00E394D0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F874BA	5_2_00F874BA
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E58CB0	5_2_00E58CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E70C80	5_2_00E70C80
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FC1C90	5_2_00FC1C90
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E35C90	5_2_00E35C90
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_01002595	5_2_01002595
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FBCC55	5_2_00FBCC55
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E3542C	5_2_00E3542C
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F57400	5_2_00F57400
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0100ADFC	5_2_0100ADFC
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E33580	5_2_00E33580
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E71580	5_2_00E71580
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E53D70	5_2_00E53D70
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E49530	5_2_00E49530
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E3AD00	5_2_00E3AD00
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00EB0511	5_2_00EB0511
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F94EAB	5_2_00F94EAB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E55E90	5_2_00E55E90
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_01035FA1	5_2_01035FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E50650	5_2_00E50650
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E57E20	5_2_00E57E20
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00F28E39	5_2_00F28E39
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FF9E11	5_2_00FF9E11
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00EACFE0	5_2_00EACFE0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E327D0	5_2_00E327D0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E377D0	5_2_00E377D0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E687B0	5_2_00E687B0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E6C780	5_2_00E6C780
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E51790	5_2_00E51790
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E70F60	5_2_00E70F60
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00E58770	5_2_00E58770
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_01004EAD	5_2_01004EAD
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFEF12	5_2_00FFEF12

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9992443647540984
Source: file.exe	Static PE information: Section: rujnmhpu ZLIB complexity 0.9942296429910045

Source: classification engine

Classification label: mal100.evad.winEXE@1/0@2/1

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00E627B0 CoCreateInstance,

5_2_00E627B0

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 50%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 1879040 > 1048576

Source: file.exe

Static PE information: Raw size of rujnmhpu is bigger than: 0x100000 < 0x1a0e00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 5.2.file.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rujnmhpu:EW;bfyrfdky:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rujnmhpu:EW;bfyrfdky:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x1cf736 should be: 0x1d238f

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: rujnmhpu
Source: file.exe	Static PE information: section name: bfyrfdky
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_01042910 push ebx; mov dword ptr [esp], edi	5_2_01042967
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_010C3916 push 08A4EAE0h; mov dword ptr [esp], edi	5_2_010C3940
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0108592D push 5F6BD2D3h; mov dword ptr [esp], eax	5_2_01085953
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push edx; mov dword ptr [esp], ebp	5_2_00FFB93D
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 5337B263h; mov dword ptr [esp], ecx	5_2_00FFB956
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 02F79533h; mov dword ptr [esp], ecx	5_2_00FFBA02
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 4416E455h; mov dword ptr [esp], eax	5_2_00FFBA94
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 2209E6C9h; mov dword ptr [esp], edx	5_2_00FFBA9C
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 3DBA71DCh; mov dword ptr [esp], eax	5_2_00FFBB21
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 373E004Eh; mov dword ptr [esp], eax	5_2_00FFBBE6
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push ebp; mov dword ptr [esp], 5BF766E1h	5_2_00FFBBEA
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 2C9C3690h; mov dword ptr [esp], eax	5_2_00FFBC08
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 561D9A97h; mov dword ptr [esp], edx	5_2_00FFBC25
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push edx; mov dword ptr [esp], ecx	5_2_00FFBC7E
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push eax; mov dword ptr [esp], 4EE91081h	5_2_00FFBDDF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 41889419h; mov dword ptr [esp], ebp	5_2_00FFBE94
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push eax; mov dword ptr [esp], ebp	5_2_00FFBE98
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push eax; mov dword ptr [esp], edi	5_2_00FFBF0C
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push edi; mov dword ptr [esp], edx	5_2_00FFBF16
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 0F3EBED4h; mov dword ptr [esp], ecx	5_2_00FFBF39
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 507E0D0Ch; mov dword ptr [esp], edx	5_2_00FFBF66
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push esi; mov dword ptr [esp], 7F7596B2h	5_2_00FFBF83
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push eax; mov dword ptr [esp], ebp	5_2_00FFBFCA
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push ebx; mov dword ptr [esp], esi	5_2_00FFC016
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 4221547Eh; mov dword ptr [esp], edi	5_2_00FFC05C
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push eax; mov dword ptr [esp], ecx	5_2_00FFC0EA
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push ebx; mov dword ptr [esp], ecx	5_2_00FFC139
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push esi; mov dword ptr [esp], ecx	5_2_00FFC2E5
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push ebp; mov dword ptr [esp], edx	5_2_00FFC2FE
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push ebx; mov dword ptr [esp], ebp	5_2_00FFC3B4
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FFB884 push 429FBDB7h; mov dword ptr [esp], edx	5_2_00FFC491

Source: file.exe	Static PE information: section name: entropy: 7.9830267729782625
Source: file.exe	Static PE information: section name: rujnmhpu entropy: 7.953499321906515

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1010AF8 second address: 1010B03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1010B03 second address: 1010B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101107C second address: 1011080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101475B second address: E8CA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 08C8D0D8h 0x0000000e mov di, 9141h 0x00000012 push dword ptr [ebp+122D0D41h] 0x00000018 and edx, dword ptr [ebp+122D2D3Dh] 0x0000001e call dword ptr [ebp+122D1940h] 0x00000024 pushad 0x00000025 jmp 00007FBC40C70F2Dh 0x0000002a xor eax, eax 0x0000002c jmp 00007FBC40C70F30h 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 ja 00007FBC40C70F2Ch 0x0000003b sub dword ptr [ebp+122D2E1Ah], edx 0x00000041 mov dword ptr [ebp+122D2C9Ah], eax 0x00000047 mov dword ptr [ebp+122D2E1Ah], edx 0x0000004d mov esi, 0000003Ch 0x00000052 jnc 00007FBC40C70F42h 0x00000058 jne 00007FBC40C70F3Ch 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 jmp 00007FBC40C70F2Ch 0x00000067 lodsw 0x00000069 je 00007FBC40C70F35h 0x0000006f jmp 00007FBC40C70F2Fh 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 mov dword ptr [ebp+122D2E1Ah], eax 0x0000007e sub dword ptr [ebp+122D2E1Ah], ecx 0x00000084 mov ebx, dword ptr [esp+24h] 0x00000088 pushad 0x00000089 or cl, FFFFFFB9h 0x0000008c push ecx 0x0000008d pushad 0x0000008e popad 0x0000008f pop esi 0x00000090 popad 0x00000091 nop 0x00000092 push ebx 0x00000093 push eax 0x00000094 push edx 0x00000095 jmp 00007FBC40C70F2Ah 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014858 second address: 1014901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A892h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jmp 00007FBC40C6A88Ch 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jnl 00007FBC40C6A88Ch 0x0000001a mov eax, dword ptr [eax] 0x0000001c push edi 0x0000001d pushad 0x0000001e jl 00007FBC40C6A886h 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 popad 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c jmp 00007FBC40C6A893h 0x00000031 pop eax 0x00000032 pushad 0x00000033 mov edi, 03838363h 0x00000038 pushad 0x00000039 mov ch, F5h 0x0000003b xor edi, 7D40942Ah 0x00000041 popad 0x00000042 popad 0x00000043 lea ebx, dword ptr [ebp+1245B693h] 0x00000049 mov dx, 60C3h 0x0000004d jmp 00007FBC40C6A898h 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 push ecx 0x00000055 pushad 0x00000056 popad 0x00000057 pop ecx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FBC40C6A894h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014901 second address: 1014912 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBC40C70F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014912 second address: 1014916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014A54 second address: 1014A68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c jc 00007FBC40C70F2Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014A68 second address: 1014A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [eax] 0x00000007 js 00007FBC40C6A8A5h 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FBC40C6A886h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014A7D second address: 1014AD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edx 0x0000000e jmp 00007FBC40C70F37h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 or dword ptr [ebp+122D2E99h], ecx 0x0000001b lea ebx, dword ptr [ebp+1245B69Ch] 0x00000021 xor dword ptr [ebp+122D1992h], ebx 0x00000027 xchg eax, ebx 0x00000028 pushad 0x00000029 jmp 00007FBC40C70F2Bh 0x0000002e je 00007FBC40C70F2Ch 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014B4D second address: 1014B9D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D190Eh], edi 0x00000010 push 00000000h 0x00000012 sub dword ptr [ebp+122D2D28h], ecx 0x00000018 call 00007FBC40C6A889h 0x0000001d pushad 0x0000001e jmp 00007FBC40C6A895h 0x00000023 push edi 0x00000024 js 00007FBC40C6A886h 0x0000002a pop edi 0x0000002b popad 0x0000002c push eax 0x0000002d push edi 0x0000002e push ecx 0x0000002f pushad 0x00000030 popad 0x00000031 pop ecx 0x00000032 pop edi 0x00000033 mov eax, dword ptr [esp+04h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014B9D second address: 1014BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014BA2 second address: 1014BCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A898h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FBC40C6A888h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014BCA second address: 1014C7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBC40C70F36h 0x00000008 jng 00007FBC40C70F26h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push edi 0x00000016 jbe 00007FBC40C70F28h 0x0000001c pop edi 0x0000001d pop eax 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FBC40C70F28h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 push 00000003h 0x0000003a jmp 00007FBC40C70F38h 0x0000003f push 00000000h 0x00000041 mov edx, dword ptr [ebp+122D2C1Eh] 0x00000047 push 00000003h 0x00000049 push 00000000h 0x0000004b push edx 0x0000004c call 00007FBC40C70F28h 0x00000051 pop edx 0x00000052 mov dword ptr [esp+04h], edx 0x00000056 add dword ptr [esp+04h], 0000001Dh 0x0000005e inc edx 0x0000005f push edx 0x00000060 ret 0x00000061 pop edx 0x00000062 ret 0x00000063 mov dword ptr [ebp+122D1952h], esi 0x00000069 call 00007FBC40C70F29h 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 js 00007FBC40C70F26h 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014C7F second address: 1014C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014C84 second address: 1014C89 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014C89 second address: 1014C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBC40C6A88Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014C9D second address: 1014CDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push esi 0x0000000e pushad 0x0000000f jo 00007FBC40C70F26h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop esi 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007FBC40C70F37h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push edx 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014CDE second address: 1014D1A instructions: 0x00000000 rdtsc 0x00000002 je 00007FBC40C6A88Ch 0x00000008 jl 00007FBC40C6A886h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 jns 00007FBC40C6A889h 0x00000017 lea ebx, dword ptr [ebp+1245B6A7h] 0x0000001d sub dword ptr [ebp+122D2E0Dh], edx 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FBC40C6A890h 0x00000029 push eax 0x0000002a pushad 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1005655 second address: 1005683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007FBC40C70F31h 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007FBC40C70F2Bh 0x00000012 jno 00007FBC40C70F26h 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1033C93 second address: 1033C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103427D second address: 103429A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F35h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103429A second address: 103429E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034528 second address: 1034530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034530 second address: 103455E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FBC40C6A88Eh 0x00000012 jne 00007FBC40C6A886h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBC40C6A88Ch 0x00000021 jno 00007FBC40C6A886h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103455E second address: 1034562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034562 second address: 103456E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBC40C6A886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034BC1 second address: 1034BC7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029EC3 second address: 1029EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBC40C6A886h 0x0000000a popad 0x0000000b jng 00007FBC40C6A88Ch 0x00000011 jg 00007FBC40C6A886h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029EDA second address: 1029EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBC40C70F26h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034E52 second address: 1034E5C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10355A8 second address: 10355AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1035878 second address: 1035896 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FBC40C6A88Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jg 00007FBC40C6A886h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1035896 second address: 10358BD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBC40C70F26h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FBC40C70F35h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1037382 second address: 103738D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103738D second address: 1037393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1042B07 second address: 1042B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9955 second address: FF9959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1042390 second address: 1042399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1042684 second address: 10426A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC40C70F2Ah 0x00000009 pushad 0x0000000a jmp 00007FBC40C70F34h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10426A9 second address: 10426B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1042850 second address: 104285B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104285B second address: 104285F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104285F second address: 1042872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F2Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1042872 second address: 104287B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044B32 second address: 1044B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FBC40C70F26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044DDD second address: 1044E10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A896h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jnl 00007FBC40C6A893h 0x00000011 jmp 00007FBC40C6A88Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044E10 second address: 1044E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044E14 second address: 1044E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044EB3 second address: 1044ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC40C70F35h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10450B2 second address: 10450B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10450B8 second address: 10450BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045161 second address: 1045166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1045650 second address: 1045691 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBC40C70F28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FBC40C70F30h 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 jns 00007FBC40C70F26h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c jg 00007FBC40C70F2Ch 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jnp 00007FBC40C70F34h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104570B second address: 104570F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104570F second address: 1045727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBC40C70F2Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046B70 second address: 1046B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBC40C6A896h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046B90 second address: 1046B9A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBC40C70F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1046B9A second address: 1046C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A88Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FBC40C6A888h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 jc 00007FBC40C6A88Ch 0x0000002a add dword ptr [ebp+122D1985h], edi 0x00000030 and esi, 7FC2B26Ch 0x00000036 push 00000000h 0x00000038 jmp 00007FBC40C6A88Fh 0x0000003d push 00000000h 0x0000003f xchg eax, ebx 0x00000040 push ecx 0x00000041 jmp 00007FBC40C6A897h 0x00000046 pop ecx 0x00000047 push eax 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FBC40C6A895h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1047C92 second address: 1047C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104845D second address: 1048467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FBC40C6A886h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1048467 second address: 1048479 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBC40C70F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104A62A second address: 104A62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104A62F second address: 104A645 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBC40C70F28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FBC40C70F26h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104B171 second address: 104B1E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007FBC40C6A897h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FBC40C6A888h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D1B70h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007FBC40C6A888h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b xchg eax, ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e jp 00007FBC40C6A888h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104B1E1 second address: 104B1E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104B1E7 second address: 104B1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104CF27 second address: 104CF56 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007FBC40C70F3Bh 0x0000000e popad 0x0000000f jbe 00007FBC40C70F5Dh 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104F641 second address: 104F647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050855 second address: 1050859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104F647 second address: 104F64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1050859 second address: 105085F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104F64B second address: 104F64F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104F64F second address: 104F661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jbe 00007FBC40C70F2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104F732 second address: 104F737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104F737 second address: 104F73C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10562E1 second address: 10562EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FBC40C6A886h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105647C second address: 1056481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105A3CD second address: 105A3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057559 second address: 105756E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBC40C70F2Ch 0x00000008 js 00007FBC40C70F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105A4CD second address: 105A4D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105C3CB second address: 105C3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105A4D2 second address: 105A4ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC40C6A897h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105C3D0 second address: 105C3D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105A4ED second address: 105A581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bx, 4028h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jo 00007FBC40C6A888h 0x0000001c mov ebx, ecx 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007FBC40C6A888h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f add dword ptr [ebp+122D2E7Eh], ecx 0x00000045 mov eax, dword ptr [ebp+122D06B1h] 0x0000004b push edi 0x0000004c pop edi 0x0000004d mov dword ptr [ebp+122D197Ah], eax 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ebp 0x00000058 call 00007FBC40C6A888h 0x0000005d pop ebp 0x0000005e mov dword ptr [esp+04h], ebp 0x00000062 add dword ptr [esp+04h], 0000001Ah 0x0000006a inc ebp 0x0000006b push ebp 0x0000006c ret 0x0000006d pop ebp 0x0000006e ret 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FBC40C6A895h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105C3D6 second address: 105C3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105A581 second address: 105A591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC40C6A88Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105E9E8 second address: 105E9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105E9EC second address: 105E9FA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBC40C6A886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105FAC9 second address: 105FB1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FBC40C70F28h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov di, ax 0x0000002e push 00000000h 0x00000030 mov ebx, dword ptr [ebp+122D2BB6h] 0x00000036 xor ebx, dword ptr [ebp+122D2D1Eh] 0x0000003c push eax 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jg 00007FBC40C70F26h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063793 second address: 10637A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10637A7 second address: 10637AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A8FE second address: 100A905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A905 second address: 100A90F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FBC40C70F26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A90F second address: 100A921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A921 second address: 100A925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A925 second address: 100A92F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBC40C6A886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A92F second address: 100A93F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBC40C70F26h 0x0000000a jl 00007FBC40C70F26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A93F second address: 100A949 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBC40C6A886h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100A949 second address: 100A954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106649F second address: 10664E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A88Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FBC40C6A893h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBC40C6A88Ch 0x00000016 jmp 00007FBC40C6A891h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10684D0 second address: 10684ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F2Dh 0x00000007 jc 00007FBC40C70F26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F94F second address: 106F961 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBC40C6A888h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F961 second address: 106F96E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBC40C70F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F96E second address: 106F990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBC40C6A886h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 jnp 00007FBC40C6A888h 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F990 second address: 106F994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F994 second address: 106F998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F998 second address: 106F99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F99E second address: 106F9A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106FA45 second address: 106FAA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBC40C70F3Dh 0x0000000a jmp 00007FBC40C70F37h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FBC40C70F38h 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007FBC40C70F33h 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1074993 second address: 107499E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FBC40C6A886h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107499E second address: 10749A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1073B98 second address: 1073B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1073B9C second address: 1073BA2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1073BA2 second address: 1073BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FBC40C6A88Eh 0x0000000e jns 00007FBC40C6A886h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1074053 second address: 1074074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1074074 second address: 107407E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBC40C6A886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107407E second address: 1074083 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1074083 second address: 1074089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107435B second address: 107435F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10744C6 second address: 10744D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBC40C6A886h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10744D0 second address: 1074510 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F35h 0x00000007 jmp 00007FBC40C70F2Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007FBC40C70F2Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBC40C70F2Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1074510 second address: 1074514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1074657 second address: 1074661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10747C8 second address: 10747CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10747CC second address: 10747D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10747D2 second address: 10747D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10747D8 second address: 10747FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FBC40C70F2Ch 0x00000008 jng 00007FBC40C70F26h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBC40C70F2Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CF1E second address: 107CF27 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CF27 second address: 107CF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107BAEF second address: 107BB36 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBC40C6A893h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 jmp 00007FBC40C6A890h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007FBC40C6A892h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107BCA4 second address: 107BCB4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FBC40C70F2Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107BE29 second address: 107BE3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FBC40C6A886h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107C5AB second address: 107C5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CBC5 second address: 107CBCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CBCB second address: 107CBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CBD1 second address: 107CBE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A893h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CBE9 second address: 107CBEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CBEF second address: 107CC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBC40C6A886h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jns 00007FBC40C6A88Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CC0D second address: 107CC1C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBC40C70F26h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107CC1C second address: 107CC25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10824B5 second address: 10824B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10824B9 second address: 10824C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1081319 second address: 108133A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBC40C70F38h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108133A second address: 1081354 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBC40C6A886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBC40C6A890h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043944 second address: 1043949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043949 second address: 104398A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FBC40C6A88Ch 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnl 00007FBC40C6A890h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FBC40C6A897h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104398A second address: 1043995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043995 second address: 10439A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10439A2 second address: 10439B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC40C70F2Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10439B3 second address: 10439E8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBC40C6A888h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007FBC40C6A893h 0x00000015 pop eax 0x00000016 mov edx, dword ptr [ebp+122D37FBh] 0x0000001c push 1D5C9C9Dh 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 pushad 0x00000025 popad 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10439E8 second address: 10439EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10439EE second address: 10439F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043B77 second address: 1043B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043C1E second address: 1043C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043E3F second address: 1043E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043E43 second address: 1043E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043E47 second address: 1043E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FBC40C70F28h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043E58 second address: 1043E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104441C second address: 104445C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007FBC40C70F32h 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push edx 0x00000012 jo 00007FBC40C70F2Ch 0x00000018 je 00007FBC40C70F26h 0x0000001e pop edx 0x0000001f mov eax, dword ptr [eax] 0x00000021 push ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FBC40C70F2Fh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104445C second address: 1044460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044460 second address: 1044489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FBC40C70F39h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044489 second address: 104448E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104448E second address: 1044494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044494 second address: 1044498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044561 second address: 104456E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBC40C70F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104456E second address: 10445E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jne 00007FBC40C6A89Bh 0x0000000f nop 0x00000010 call 00007FBC40C6A88Ah 0x00000015 mov edi, dword ptr [ebp+122D2BA6h] 0x0000001b pop edi 0x0000001c lea eax, dword ptr [ebp+1248A06Bh] 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007FBC40C6A888h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c and ecx, 77B2DB45h 0x00000042 nop 0x00000043 jo 00007FBC40C6A89Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FBC40C6A88Ah 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10445E5 second address: 10445E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10445E9 second address: 102AA2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 push ecx 0x00000009 jmp 00007FBC40C6A899h 0x0000000e pop ecx 0x0000000f pop ecx 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FBC40C6A888h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b lea eax, dword ptr [ebp+1248A027h] 0x00000031 movzx edx, dx 0x00000034 nop 0x00000035 jmp 00007FBC40C6A897h 0x0000003a push eax 0x0000003b jc 00007FBC40C6A89Ah 0x00000041 jne 00007FBC40C6A894h 0x00000047 nop 0x00000048 jmp 00007FBC40C6A898h 0x0000004d call dword ptr [ebp+122D3718h] 0x00000053 jo 00007FBC40C6A8B1h 0x00000059 js 00007FBC40C6A89Fh 0x0000005f jmp 00007FBC40C6A893h 0x00000064 jno 00007FBC40C6A886h 0x0000006a pushad 0x0000006b jno 00007FBC40C6A886h 0x00000071 push edi 0x00000072 pop edi 0x00000073 pushad 0x00000074 popad 0x00000075 popad 0x00000076 push eax 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a jno 00007FBC40C6A886h 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102AA2D second address: 102AA52 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBC40C70F26h 0x00000008 jmp 00007FBC40C70F2Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FBC40C70F2Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10816C9 second address: 10816CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1081E1B second address: 1081E23 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1081E23 second address: 1081E2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10820F1 second address: 10820F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10820F5 second address: 10820F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10820F9 second address: 1082102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108B3D6 second address: 108B3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A0DD second address: 108A0EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FBC40C70F26h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A0EA second address: 108A0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FBC40C6A886h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A0F7 second address: 108A0FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A752 second address: 108A758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A758 second address: 108A76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FBC40C70F2Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A76E second address: 108A77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108A77C second address: 108A78E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FBC40C70F28h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108AA31 second address: 108AA35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108AA35 second address: 108AA39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108AA39 second address: 108AA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnp 00007FBC40C6A886h 0x0000000d pop ebx 0x0000000e push ecx 0x0000000f jmp 00007FBC40C6A88Ah 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FBC40C6A895h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108F132 second address: 108F148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FBC40C70F31h 0x0000000b jmp 00007FBC40C70F2Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1003B8A second address: 1003B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10915FB second address: 10915FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10978CE second address: 10978D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBC40C6A886h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097BA2 second address: 1097BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097CEA second address: 1097D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FBC40C6A897h 0x00000010 jmp 00007FBC40C6A891h 0x00000015 jmp 00007FBC40C6A895h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097D20 second address: 1097D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097D28 second address: 1097D3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FBC40C6A886h 0x0000000e jno 00007FBC40C6A886h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097D3C second address: 1097D40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097E6F second address: 1097E8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FBC40C6A886h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 jl 00007FBC40C6A886h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097E8C second address: 1097E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1097E96 second address: 1097E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1098008 second address: 109800D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109800D second address: 109802D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FBC40C6A894h 0x00000008 pop ecx 0x00000009 jnp 00007FBC40C6A88Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109817C second address: 109818A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007FBC40C70F26h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109C2D7 second address: 109C2DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109C2DD second address: 109C2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109C2E6 second address: 109C2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109F3B5 second address: 109F3CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBC40C70F2Bh 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109F3CA second address: 109F3E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 js 00007FBC40C6A8B4h 0x0000000f pushad 0x00000010 jo 00007FBC40C6A886h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109F710 second address: 109F714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109FA39 second address: 109FA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBC40C6A88Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBC40C6A890h 0x00000013 jnc 00007FBC40C6A886h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A5544 second address: 10A554B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A56CE second address: 10A56D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A56D6 second address: 10A56DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A56DB second address: 10A5705 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBC40C6A8A4h 0x00000008 jmp 00007FBC40C6A894h 0x0000000d jmp 00007FBC40C6A88Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A5705 second address: 10A5720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC40C70F37h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A6561 second address: 10A6565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A6565 second address: 10A658F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBC40C70F26h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007FBC40C70F2Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FBC40C70F2Dh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A6E7C second address: 10A6E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A6E84 second address: 10A6E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A713B second address: 10A714E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007FBC40C6A886h 0x0000000b jp 00007FBC40C6A886h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AFB60 second address: 10AFBA9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBC40C70F26h 0x00000008 jmp 00007FBC40C70F2Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007FBC40C70F2Eh 0x00000015 pop eax 0x00000016 push ecx 0x00000017 pushad 0x00000018 jmp 00007FBC40C70F2Bh 0x0000001d jmp 00007FBC40C70F32h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AFD0A second address: 10AFD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AFD14 second address: 10AFD7D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBC40C70F26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FBC40C70F2Fh 0x00000012 jmp 00007FBC40C70F39h 0x00000017 pop eax 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FBC40C70F38h 0x00000020 jmp 00007FBC40C70F38h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10AFEEE second address: 10AFEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B01A0 second address: 10B01B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FBC40C70F26h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B01B6 second address: 10B01BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B0316 second address: 10B031F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B031F second address: 10B0325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B0325 second address: 10B0329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B0633 second address: 10B0647 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBC40C6A886h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FBC40C6A886h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B8713 second address: 10B8721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B689C second address: 10B68A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B68A1 second address: 10B68A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B68A7 second address: 10B68AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B6E02 second address: 10B6E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBC40C70F45h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B70DE second address: 10B70EB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBC40C6A886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B70EB second address: 10B70F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B70F0 second address: 10B7106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A88Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B72A0 second address: 10B72E1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBC40C70F26h 0x00000008 jng 00007FBC40C70F26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 jmp 00007FBC40C70F34h 0x00000016 jno 00007FBC40C70F26h 0x0000001c pop edx 0x0000001d popad 0x0000001e jg 00007FBC40C70F5Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 ja 00007FBC40C70F26h 0x0000002c jc 00007FBC40C70F26h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B747B second address: 10B747F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B747F second address: 10B7485 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B7485 second address: 10B7494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007FBC40C6A886h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B7494 second address: 10B74A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 js 00007FBC40C70F32h 0x0000000c jng 00007FBC40C70F2Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B7601 second address: 10B7605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B7759 second address: 10B775D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B775D second address: 10B7771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FBC40C6A886h 0x0000000e ja 00007FBC40C6A886h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B6414 second address: 10B6418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BFC82 second address: 10BFCB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A88Ah 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FBC40C6A88Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007FBC40C6A886h 0x00000018 jmp 00007FBC40C6A88Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BF823 second address: 10BF83F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB12A second address: 10CB131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CB131 second address: 10CB15C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F37h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBC40C70F30h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7E0F second address: FF7E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF7E15 second address: FF7E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D6037 second address: 10D606A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007FBC40C6A886h 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jo 00007FBC40C6A89Ch 0x00000019 jmp 00007FBC40C6A890h 0x0000001e jbe 00007FBC40C6A886h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D606A second address: 10D6070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10D6070 second address: 10D6074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DDD1B second address: 10DDD26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DDBAF second address: 10DDBB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DDBB3 second address: 10DDBBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10DFF8D second address: 10DFF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E78AC second address: 10E78BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C70F2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E67F3 second address: 10E67F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10E75E7 second address: 10E760A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC40C70F39h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EC158 second address: 10EC15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EC15E second address: 10EC16F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBC40C70F26h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EC16F second address: 10EC17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC40C6A88Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCFD0 second address: FFCFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFCFD5 second address: FFD00A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBC40C6A899h 0x00000009 jmp 00007FBC40C6A898h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EBD56 second address: 10EBD84 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBC40C70F2Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007FBC40C70F52h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBC40C70F38h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EBD84 second address: 10EBD88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10EBD88 second address: 10EBD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FC1C9 second address: 10FC1E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A88Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jbe 00007FBC40C6A890h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FA5AE second address: 10FA5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10FA5BB second address: 10FA5C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1109D95 second address: 1109DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FBC40C70F32h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110D2E3 second address: 110D2EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110D2EA second address: 110D30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FBC40C70F33h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110D30B second address: 110D30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124226 second address: 1124245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FBC40C70F26h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBC40C70F2Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123556 second address: 11235A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A899h 0x00000007 jmp 00007FBC40C6A896h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FBC40C6A89Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11235A6 second address: 11235AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123B8F second address: 1123BAD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBC40C6A886h 0x00000008 jbe 00007FBC40C6A886h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FBC40C6A886h 0x00000018 jo 00007FBC40C6A886h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123D09 second address: 1123D14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123D14 second address: 1123D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBC40C6A894h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBC40C6A88Fh 0x00000015 pushad 0x00000016 jmp 00007FBC40C6A88Ah 0x0000001b pushad 0x0000001c popad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123ED1 second address: 1123F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007FBC40C70F26h 0x00000010 pop edi 0x00000011 jmp 00007FBC40C70F36h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBC40C70F30h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123F0C second address: 1123F1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBC40C6A88Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123F1F second address: 1123F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBC40C70F33h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123F3B second address: 1123F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123F41 second address: 1123F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FBC40C70F33h 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112599D second address: 1125A10 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FBC40C6A898h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FBC40C6A8A1h 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007FBC40C6A899h 0x00000018 pushad 0x00000019 jmp 00007FBC40C6A892h 0x0000001e pushad 0x0000001f popad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 popad 0x00000023 popad 0x00000024 push ecx 0x00000025 ja 00007FBC40C6A896h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1125A10 second address: 1125A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1128577 second address: 112857C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112863B second address: 112863F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112863F second address: 11286FC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FBC40C6A888h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 je 00007FBC40C6A888h 0x00000029 mov edx, ecx 0x0000002b push 00000004h 0x0000002d add dh, FFFFFFC1h 0x00000030 call 00007FBC40C6A889h 0x00000035 jmp 00007FBC40C6A894h 0x0000003a push eax 0x0000003b jmp 00007FBC40C6A88Ch 0x00000040 mov eax, dword ptr [esp+04h] 0x00000044 pushad 0x00000045 jmp 00007FBC40C6A88Eh 0x0000004a jmp 00007FBC40C6A890h 0x0000004f popad 0x00000050 mov eax, dword ptr [eax] 0x00000052 jmp 00007FBC40C6A892h 0x00000057 mov dword ptr [esp+04h], eax 0x0000005b pushad 0x0000005c jmp 00007FBC40C6A896h 0x00000061 jc 00007FBC40C6A88Ch 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112B837 second address: 112B88A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBC40C70F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FBC40C70F2Eh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FBC40C70F3Ch 0x00000019 jl 00007FBC40C70F3Ch 0x0000001f jmp 00007FBC40C70F36h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112B88A second address: 112B890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112B890 second address: 112B894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112B3D5 second address: 112B3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112B3DB second address: 112B3E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E8CAE6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 10637FB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1043453 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 10C57F9 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 2868	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5884	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: file.exe, file.exe, 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000005.00000002.1346187098.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn<
Source: file.exe, 00000005.00000002.1346187098.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000005.00000002.1346187098.00000000016B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00E6DF70 LdrInitializeThunk,

5_2_00E6DF70

Source: file.exe, file.exe, 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmp

Binary or memory string: sProgram Manager

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	24 Virtualization/Sandbox Evasion	OS Credential Dumping	631 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	24 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	223 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	50%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://frogs-severz.sbs/w	100%	Avira URL Cloud	malware
https://frogs-severz.sbs/api	100%	Avira URL Cloud	malware
https://frogs-severz.sbs/apin	100%	Avira URL Cloud	malware
http://crl.microsoftb	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/	100%	Avira URL Cloud	malware
https://frogs-severz.sbs/	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
frogs-severz.sbs	104.21.88.250	true	false		high
property-imper.sbs	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://frogs-severz.sbs/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://frogs-severz.sbs/w	file.exe, 00000005.00000003.1345252759.000000000174A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346505388.000000000174A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://frogs-severz.sbs/apin	file.exe, 00000005.00000002.1346187098.00000000016E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://frogs-severz.sbs/	file.exe, 00000005.00000003.1345252759.000000000174A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346505388.000000000174A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346187098.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://crl.microsoftb	file.exe, 00000005.00000003.1345252759.000000000173F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000005.00000002.1346505388.0000000001742000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.88.250	frogs-severz.sbs	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562030
Start date and time:	2024-11-25 05:45:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/0@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:46:19	API Interceptor	3x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.88.250	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse
	b.exe	Get hash	malicious	LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
frogs-severz.sbs	Aquantia_Installer.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	arcaneloader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	xLauncher.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	injector V2.5.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	SystemCoreHelper.dll	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	b.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	193.143.1.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://glorydaysaheadnnowx.us:443/verify/?verify'	Get hash	malicious	Unknown	Browse	172.67.196.133
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	New shipment AWB NO - 09804480383.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	172.67.177.134
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	FGQ-667893.pdf	Get hash	malicious	Unknown	Browse	104.18.95.41
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.88.250
	file.exe	Get hash	malicious	Unknown	Browse	104.21.88.250

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948243247939989
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'879'040 bytes
MD5:	8453f1d8df8f15f1bbc160bd225b7df3
SHA1:	4b62adaf743ed29ba865c424d24f73259fd08d5f
SHA256:	52eada2c59ecea03387a3b6fa6a1e557cd5f32ebfc4f478c2e6800f56e25eef0
SHA512:	487adc7f8578d58b453316c468e8bb259c03f94fbdf069abf5bc26876db04e205bc22d9e66d955586bc9714aec84f6ec644499ad28d9029bdd41d044e8d64281
SSDEEP:	24576:rvB1VD6ieihvrjLBxN3kfh9kaYb59f9RD4RuaLTbcIFXjVYhqEnswk9TG8C0+bZA:DzN69iPX0piDD4R3LcU5YP89TGN5U0
TLSH:	5B9533C5FE135A09E0892FF56FE76BB31200755724BAA084D9ED45F302BAF7E5249E08
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q<?g..............................J...........@...........................J.....6.....@.................................\...p..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8a9000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F3C51 [Thu Nov 21 13:57:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FBC4121BAAAh
jp 00007FBC4121BAC2h
add byte ptr [eax], al
jmp 00007FBC4121DAA5h
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5805c	0x70	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57000	0x2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x581f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x56000	0x26200	810508f668a379934483f9bc06802656	False	0.9992443647540984	data	7.9830267729782625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x57000	0x2b0	0x200	9a376f1cd17208da04a05162a06cb801	False	0.794921875	data	6.031787524514728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x58000	0x1000	0x200	c92ced077364b300efd06b14c70a61dc	False	0.15625	data	1.1194718105633323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x59000	0x2ae000	0x200	10869768e89c236aafa50f0177557c79	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rujnmhpu	0x307000	0x1a1000	0x1a0e00	6c72583257f4df10a048cfbf33c75861	False	0.9942296429910045	data	7.953499321906515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bfyrfdky	0x4a8000	0x1000	0x400	a7fafe2f826090725f1d3f5bfcbe070d	False	0.779296875	data	6.079655072219222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a9000	0x3000	0x2200	8f0b13c08819fe56feaddd35f4398c81	False	0.0546875	DOS executable (COM)	0.654428562184932	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4a79e8	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T05:46:21.953434+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49705	104.21.88.250	443	TCP
2024-11-25T05:46:22.681227+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49705	104.21.88.250	443	TCP
2024-11-25T05:46:22.681227+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49705	104.21.88.250	443	TCP
2024-11-25T05:46:23.939996+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49707	104.21.88.250	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 05:46:20.681462049 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:20.681493998 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:20.681678057 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:20.685146093 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:20.685158968 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:21.953368902 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:21.953433990 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:21.957576036 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:21.957591057 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:21.957880020 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:22.002418995 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.021745920 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.021790028 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.021832943 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:22.680773973 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:22.680891037 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:22.681127071 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.682605028 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.682605028 CET	49705	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.682621956 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:22.682636976 CET	443	49705	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:22.733652115 CET	49707	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.733680964 CET	443	49707	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:22.733875036 CET	49707	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.734177113 CET	49707	443	192.168.2.7	104.21.88.250
Nov 25, 2024 05:46:22.734196901 CET	443	49707	104.21.88.250	192.168.2.7
Nov 25, 2024 05:46:23.939996004 CET	49707	443	192.168.2.7	104.21.88.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 05:46:19.967453003 CET	57388	53	192.168.2.7	1.1.1.1
Nov 25, 2024 05:46:20.205487967 CET	53	57388	1.1.1.1	192.168.2.7
Nov 25, 2024 05:46:20.212950945 CET	61473	53	192.168.2.7	1.1.1.1
Nov 25, 2024 05:46:20.674906015 CET	53	61473	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 05:46:19.967453003 CET	192.168.2.7	1.1.1.1	0xfe05	Standard query (0)	property-imper.sbs	A (IP address)	IN (0x0001)	false
Nov 25, 2024 05:46:20.212950945 CET	192.168.2.7	1.1.1.1	0x7fb	Standard query (0)	frogs-severz.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 05:46:20.205487967 CET	1.1.1.1	192.168.2.7	0xfe05	Name error (3)	property-imper.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 25, 2024 05:46:20.674906015 CET	1.1.1.1	192.168.2.7	0x7fb	No error (0)	frogs-severz.sbs		104.21.88.250	A (IP address)	IN (0x0001)	false
Nov 25, 2024 05:46:20.674906015 CET	1.1.1.1	192.168.2.7	0x7fb	No error (0)	frogs-severz.sbs		172.67.155.47	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

frogs-severz.sbs

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49705	104.21.88.250	443	320	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 04:46:22 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: frogs-severz.sbs
2024-11-25 04:46:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-25 04:46:22 UTC	1003	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 04:46:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rl0tf73tkv4eigv6j38d1skipq; expires=Thu, 20-Mar-2025 22:33:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PBFwvJU1AfNvZt7A3vXwjKyzQhlQ8MlPK8LA185FI48paTj6GsMrDuj38kM%2B7W3fC8bmhcyCY7rrs3qEixMj8WV1DtkErXFzijXLYUHkbRCTaTKfj6qaxZncmbf4RfM4R1Ee"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e7efe9cff1f180d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3492&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1887524&cwnd=201&unsent_bytes=0&cid=9017997a427cb167&ts=739&x=0"
2024-11-25 04:46:22 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-25 04:46:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	5
Start time:	23:46:16
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe30000
File size:	1'879'040 bytes
MD5 hash:	8453F1D8DF8F15F1BBC160BD225B7DF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	66.2%
Total number of Nodes:	234
Total number of Limit Nodes:	14

Executed Functions

Function 00E69030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(13C511C2), ref: 00E691B7
CoSetProxyBlanket.COMBASE(0000FDFC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00E691FD

Strings

IK, xrefs: 00E693A2
Lgfe, xrefs: 00E69212
E!q#, xrefs: 00E69688, 00E691B1, 00E69199, 00E69230
\, xrefs: 00E690F1
E!q#, xrefs: 00E690D3, 00E690DD, 00E696A7
=3, xrefs: 00E6915D
C, xrefs: 00E690E6

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: AllocBlanketProxyString
String ID: =3$C$E!q#$E!q#$Lgfe$\$IK
API String ID: 900851650-4011188741
Opcode ID: 229e752c00c24ac527d7f1cc505db7054177b54d53376bd433bf0fda8d8e9687
Instruction ID: 17557c5b8530424e35997adadb016908cae13b5420b863184fa9e22391b767a2
Opcode Fuzzy Hash: 229e752c00c24ac527d7f1cc505db7054177b54d53376bd433bf0fda8d8e9687
Instruction Fuzzy Hash: E72255715483009FE324CF20DC81B6BBBEAEF95794F149A1CF495AB282D774E905CB92

Function 00E3CF05 Relevance: 18.1, Strings: 14, Instructions: 574
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,_"Q, xrefs: 00E3D5C6
gy, xrefs: 00E3D608
y?O1, xrefs: 00E3D32D, 00E3D33F
<KuM, xrefs: 00E3D58F
+S7U, xrefs: 00E3D5D1
N3F5, xrefs: 00E3D579
S7HI, xrefs: 00E3D584
D9B2DC9EC2647CA1D7CBBD6DF28D3732, xrefs: 00E3CF70, 00E3D3C0
7W"i, xrefs: 00E3D5DC
;[*], xrefs: 00E3D5BB
c]e, xrefs: 00E3D5FD
0C%E, xrefs: 00E3D5A5
(), xrefs: 00E3D716
frogs-severz.sbs, xrefs: 00E3D341, 00E3D771

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: ()$+S7U$,_"Q$0C%E$7W"i$;[*]$<KuM$D9B2DC9EC2647CA1D7CBBD6DF28D3732$N3F5$S7HI$frogs-severz.sbs$y?O1$c]e$gy
API String ID: 0-3052796164
Opcode ID: 6e6cf4ff8221a4f0888b6d6db03cdccfc2501523a95990412661b0bef9904ce2
Instruction ID: 021f5159e14ca52c3fb2d71a23b9f023171e2148f19553974922848e3a77d5bc
Opcode Fuzzy Hash: 6e6cf4ff8221a4f0888b6d6db03cdccfc2501523a95990412661b0bef9904ce2
Instruction Fuzzy Hash: A812ECB154C3C18ED3358F25D895BEFBFA1ABD2308F19995CC4DA6B252C771090ACB92

Function 00E389A0 Relevance: 1.8, APIs: 1, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00E38CB6

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2f6c0bbec6fe4c91385b967dfee1af7ab35b369b92beabde4d6531c78faf7b8d
Instruction ID: 2c3c6924ff06765aed8145fc9ff71a686e710be16df367e975d87709450ae172
Opcode Fuzzy Hash: 2f6c0bbec6fe4c91385b967dfee1af7ab35b369b92beabde4d6531c78faf7b8d
Instruction Fuzzy Hash: BC710773B547040BC708DEBADD9235BFAD6ABC8714F09D83D6884D7390EE789C054685

Function 00E6DF70 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00E6BA46,?,00000010,00000005,00000000,?,00000000,?,?,00E49158,?,?,00E419B4), ref: 00E6DF9E

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00E6B7E0 Relevance: 1.5, APIs: 1, Instructions: 49
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00E6B84E

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b6ce81b347496cfb7bd8852b33fdc3635c7017ba90dce25284ccbc2a488a8350
Instruction ID: a97d7eb39479135e24cd629f1df110fcceccd8cd29828e1216a300366d39c503
Opcode Fuzzy Hash: b6ce81b347496cfb7bd8852b33fdc3635c7017ba90dce25284ccbc2a488a8350
Instruction Fuzzy Hash: 90017633A457080BC300AF7CDC9464ABB96EFD9228F2A063CE5D4873D0DA31990A8295

Function 00E3CEB3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00E3CEC6

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: da4ed4538f83c56d6022bceef83535088b79e1bbdef556529e101f6874a8b647
Instruction ID: 7f1669a531693172991595b6a436a4afea0c671ce97beebee718ed8ca679a8d4
Opcode Fuzzy Hash: da4ed4538f83c56d6022bceef83535088b79e1bbdef556529e101f6874a8b647
Instruction Fuzzy Hash: 05D0C9313D5742BAF9688608AC57F1023058705F28F700A08B33AFE6D1C8D071868508

Function 00E3CE80 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 00E3CE94

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e76df691197ce0501bb0ff4bc699e0a0d9b6de3a8b2e48820cc49e18c12573a6
Instruction ID: dc48199ae6377c75a7eaf4e949f486d473f33077cbde34b3dbe824988918caa5
Opcode Fuzzy Hash: e76df691197ce0501bb0ff4bc699e0a0d9b6de3a8b2e48820cc49e18c12573a6
Instruction Fuzzy Hash: ADD097212A06083BE120F21DEC03F23320CC302318F000626A266CA2C2D940681A8062

Function 00E3D7D3 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 00E3D7D3

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: ac182a29f7778ec3e96ed7aafa761fa61ff5335c33c0d0418291c0a831a8ba52
Instruction ID: 64c1c76747dac98cf07f7ee528d8371df797e86caa126fa0fe462e79efaf3032
Opcode Fuzzy Hash: ac182a29f7778ec3e96ed7aafa761fa61ff5335c33c0d0418291c0a831a8ba52
Instruction Fuzzy Hash: 09A02437F10014445F4000F47C010DDF310D1C00377100373C31CC1400D533113501C1

Non-executed Functions

Function 00E53D70 Relevance: 24.3, Strings: 19, Instructions: 515COMMON

Download Yara Rule

Strings

g, xrefs: 00E5420D
9, xrefs: 00E53F9C
,, xrefs: 00E542B7
e, xrefs: 00E54203
g, xrefs: 00E54460
`, xrefs: 00E54468
g, xrefs: 00E53E14
n, xrefs: 00E53F8D
f, xrefs: 00E54208
f, xrefs: 00E53E0C
`, xrefs: 00E53E1C
f, xrefs: 00E54458
!@, xrefs: 00E53DA3
:, xrefs: 00E53F97
e, xrefs: 00E54450
`, xrefs: 00E54212
;, xrefs: 00E53F92
, xrefs: 00E54182
e, xrefs: 00E53E04

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID: $!@$,$9$:$;$`$`$`$e$e$e$f$f$f$g$g$g$n
API String ID: 1279760036-1524723224
Opcode ID: 756cae51e5dabd804b61128ea5ec64beb015f71fa009e2b42eef4a1e46a419f6
Instruction ID: 3a2d5ce90e5e63f8dbda7293c3c78e3f93f387cbd3add630026ae397f6d11d66
Opcode Fuzzy Hash: 756cae51e5dabd804b61128ea5ec64beb015f71fa009e2b42eef4a1e46a419f6
Instruction Fuzzy Hash: B0228CB150C3808FD3218F28C4943AEBBE1AB95319F185D2DE9D9A73D2D7758889CB53

Function 00E394D0 Relevance: 17.9, Strings: 14, Instructions: 385COMMON

Download Yara Rule

Strings

mmi., xrefs: 00E39608
SD]z, xrefs: 00E39640
u{{h, xrefs: 00E395F0
N, xrefs: 00E396A1
f)2s, xrefs: 00E39600
=86o, xrefs: 00E39688
txfF, xrefs: 00E39610
BDZF, xrefs: 00E39628
ZS, xrefs: 00E39533
p8Bb, xrefs: 00E395E8
8, xrefs: 00E39838
_CYG, xrefs: 00E39638
RHL9, xrefs: 00E3958E
n[, xrefs: 00E39630

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: n[$8$=86o$BDZF$N$RHL9$SD]z$ZS$_CYG$f)2s$mmi.$p8Bb$txfF$u{{h
API String ID: 0-1787199350
Opcode ID: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
Instruction ID: d8c1acb77c9ec90413a8a7ccd4f184485a458c5f42e665f19baf0fd684221886
Opcode Fuzzy Hash: 4f528f0c90cc623b71a293a4037b626f3364ba5f16f27244a2274f38ff2d6f74
Instruction Fuzzy Hash: 65B1D47010C3818FD3158F2980647ABBFE1AFD7348F1849ADE4D59B392D779880ACB92

Function 00E398F0 Relevance: 11.7, Strings: 9, Instructions: 428COMMON

Download Yara Rule

Strings

DG, xrefs: 00E39D35
su, xrefs: 00E39CCD
fhnf, xrefs: 00E399E0, 00E39BE4, 00E399B7
fhnf, xrefs: 00E39C10
chs,, xrefs: 00E39B51
{}, xrefs: 00E39CBD
xy, xrefs: 00E39E03
Ohs,, xrefs: 00E39B2A
D9B2DC9EC2647CA1D7CBBD6DF28D3732, xrefs: 00E399C1

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: D9B2DC9EC2647CA1D7CBBD6DF28D3732$DG$Ohs,$chs,$fhnf$fhnf$xy$su${}
API String ID: 0-2454128424
Opcode ID: 04e708169fc7380b767c1a7e29e4b6bbce197e83742ac603d5e56d0b25e9aef8
Instruction ID: de44587bf23cde0bb1d29f9317fdadcfef5f9e92811492df8a605d40d6e6eab0
Opcode Fuzzy Hash: 04e708169fc7380b767c1a7e29e4b6bbce197e83742ac603d5e56d0b25e9aef8
Instruction Fuzzy Hash: 52E15972A483504BD328CF35C85536BBFE2ABD1314F198A2DE5E59B391D774C805CB82

Function 00FFD4D5 Relevance: 11.6, Strings: 8, Instructions: 1600COMMON

Download Yara Rule

Strings

l7hg, xrefs: 00FFE646
#X, xrefs: 00FFDA3F
rC~o, xrefs: 00FFD77B
9 Z, xrefs: 00FFE7C5
aZi, xrefs: 00FFE5C4
pm, xrefs: 00FFD94C
79a, xrefs: 00FFE2F4
d0}, xrefs: 00FFDDDE

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: 79a$9 Z$aZi$d0}$l7hg$rC~o$#X$pm
API String ID: 0-1266458809
Opcode ID: 314474f1fd7befe75535946a940b2ecee59a01f7daae4d017b62480509b170a2
Instruction ID: 0a7ddbd1b1f40fa6f3bc68eab96f19893345c304781425187bf6bbab1f0db89e
Opcode Fuzzy Hash: 314474f1fd7befe75535946a940b2ecee59a01f7daae4d017b62480509b170a2
Instruction Fuzzy Hash: EAB2E5F39082049FE3046E2DEC8567AFBE9EF94720F16493DEAC4C3744EA3599058697

Function 00FF9E11 Relevance: 10.3, Strings: 7, Instructions: 1577COMMON

Download Yara Rule

Strings

r[, xrefs: 00FFAFAA
k#|, xrefs: 00FFA3C4
&`w{, xrefs: 00FFA6CD
&@k&, xrefs: 00FFA235
4i{E, xrefs: 00FFA19E
oBo, xrefs: 00FFA480
E*({, xrefs: 00FFAE3C

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: &@k&$&`w{$4i{E$E*({$k#|$oBo$r[
API String ID: 0-1902940930
Opcode ID: 7e785d0fefb37d9b3b9bc7b60580254cfc7e570ec78df2784b08e885756b2ad6
Instruction ID: c9b6f3b4f927d0378c8ba10012db2886d66aa71594a22ec5ff92f138a3cb4407
Opcode Fuzzy Hash: 7e785d0fefb37d9b3b9bc7b60580254cfc7e570ec78df2784b08e885756b2ad6
Instruction Fuzzy Hash: 0FB2D5F360C204AFE704AE29EC8577ABBE5EF94720F16893DEAC4C3744E63558058697

Function 0100CB35 Relevance: 10.2, Strings: 7, Instructions: 1451COMMON

Download Yara Rule

Strings

!G_, xrefs: 0100CB49
%vO, xrefs: 0100D548
"vn, xrefs: 0100DAD8
D8!:, xrefs: 0100DA10
%t<, xrefs: 0100CC1C
-RH, xrefs: 0100D679
'6/, xrefs: 0100D910

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: !G_$"vn$'6/$-RH$D8!:$%t<$%vO
API String ID: 0-1399670969
Opcode ID: 149545dbb6a37ec9943927fe04d0b79339d4cc97c3ce202b2ba5cba2ddba7851
Instruction ID: eb5f6c41e430d5e8ea195d6056285892c825c49e80672d0f011cd2ca4494965e
Opcode Fuzzy Hash: 149545dbb6a37ec9943927fe04d0b79339d4cc97c3ce202b2ba5cba2ddba7851
Instruction Fuzzy Hash: 45A218F36082049FE304AE2DEC8567ABBE9EFD4720F1A893DE6C4C7744E53558058796

Function 01002595 Relevance: 9.1, Strings: 6, Instructions: 1618COMMON

Download Yara Rule

Strings

6u{, xrefs: 01002F67
dY?, xrefs: 01002730
WZsm, xrefs: 01002D21
FG`s, xrefs: 01002BBE
Vr{{, xrefs: 010029F1
?, xrefs: 0100277B

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: FG`s$Vr{{$WZsm$dY?$6u{$?
API String ID: 0-4235601579
Opcode ID: 1d196ecea3e5b1385a4ece3196b0bc5901730ebd1ba965b6f63cc1001da235bd
Instruction ID: 688364e8395030fa5791cd75180e9b51cc35cc318b7d9085f3a3da761cb5b7ba
Opcode Fuzzy Hash: 1d196ecea3e5b1385a4ece3196b0bc5901730ebd1ba965b6f63cc1001da235bd
Instruction Fuzzy Hash: 42B2F4F360C6009FE304AE29EC8567AFBE5EFD4720F1A893DE6C4C7744E63598458692

Function 00E4DB30 Relevance: 9.0, Strings: 7, Instructions: 235COMMON

Download Yara Rule

Strings

8, xrefs: 00E4DD13
CN, xrefs: 00E4DBEA
SRQ, xrefs: 00E4DB4F
}~, xrefs: 00E4DBFA
Lw, xrefs: 00E4DBF2
5[Y, xrefs: 00E4DCD6
_], xrefs: 00E4DB47

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: 5[Y$8$CN$Lw$}~$SRQ$_]
API String ID: 0-3274379026
Opcode ID: 31e5590f62b0cb9bfc6fe2b6262e0b4f497e437a71171874b36b46383a3fc3c1
Instruction ID: f7bc1b455fa0a9256fb119a38c59016df1ecaa92b96aca2b808f32c0d507d4df
Opcode Fuzzy Hash: 31e5590f62b0cb9bfc6fe2b6262e0b4f497e437a71171874b36b46383a3fc3c1
Instruction Fuzzy Hash: 515147719183518BD320CF25C8902ABB7F2FFD2315F18995CE8C19B255EB74890AC792

Function 00E34AC0 Relevance: 8.2, Strings: 6, Instructions: 665COMMON

Download Yara Rule

Strings

bK, xrefs: 00E34B55
2L, xrefs: 00E34C1C
zQ, xrefs: 00E35173
,T, xrefs: 00E353F2
@O, xrefs: 00E34F39
bM, xrefs: 00E34D51

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: ,T$2L$@O$bK$bM$zQ
API String ID: 0-303244978
Opcode ID: b2e4ca3b130420b22101fb1f6def8a3632690e19b9a7832178b83fea4cc68322
Instruction ID: c802195d4db4773dc322513745e0c85369c678afae5ba8d1361fa7f0a97749a5
Opcode Fuzzy Hash: b2e4ca3b130420b22101fb1f6def8a3632690e19b9a7832178b83fea4cc68322
Instruction Fuzzy Hash: A3424676608301DFD704CF29D89475ABBE1BF88355F04886CE8999B3A1D7B5D988CF82

Function 00FFB884 Relevance: 6.7, Strings: 4, Instructions: 1694COMMON

Download Yara Rule

Strings

vI%8, xrefs: 00FFBFED
$vv, xrefs: 00FFC223
/=}_, xrefs: 00FFBA06
hJ=g, xrefs: 00FFBA50

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: $vv$/=}_$hJ=g$vI%8
API String ID: 0-714454905
Opcode ID: 43cb31ad5deecab7c7ef47719aa1b655dcde26c47dd447d5ddf144e36823600c
Instruction ID: d7677ad499ab8787f2705000533d81b2ee811a15d4cf0ee4f17d4f77e518fa04
Opcode Fuzzy Hash: 43cb31ad5deecab7c7ef47719aa1b655dcde26c47dd447d5ddf144e36823600c
Instruction Fuzzy Hash: 63B219F36082049FE304AE2DEC8567ABBE9EFD4720F168A3DE6C4C3744E93559058697

Function 0100ADFC Relevance: 6.6, Strings: 4, Instructions: 1643COMMON

Download Yara Rule

Strings

SP|-, xrefs: 0100BA17
,z~/, xrefs: 0100B299
":_, xrefs: 0100B2B0
5?Jz, xrefs: 0100B185

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: ":_$,z~/$5?Jz$SP|-
API String ID: 0-521415662
Opcode ID: fdb9cc3672ee1df37f1679fcc35ef837adc296e4ff23f4423e6f81582d2b6843
Instruction ID: 93c9646e424a8fea76bfc46acb94432e6dab0b51ff1ee356224ff0c41568bb15
Opcode Fuzzy Hash: fdb9cc3672ee1df37f1679fcc35ef837adc296e4ff23f4423e6f81582d2b6843
Instruction Fuzzy Hash: B0B22BF3A0C2049FE308AE2DEC8567AB7E9EF94720F16453DEAC5D3744EA3558018697

Function 00FF82F1 Relevance: 6.6, Strings: 4, Instructions: 1623COMMON

Download Yara Rule

Strings

]hmo, xrefs: 00FF8E9A
Kvrw, xrefs: 00FF90D6
s{_, xrefs: 00FF94E4
-Oz, xrefs: 00FF9423

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: -Oz$Kvrw$]hmo$s{_
API String ID: 0-3072104240
Opcode ID: 09ef36092a7904ed29d0432aa413620f3f168d09498074adbd0f37f2536e1fb6
Instruction ID: 0ebb609bd89e7a0326a13cafd47c217a0d36ef86d9c82e1c977ef41bcce39b6b
Opcode Fuzzy Hash: 09ef36092a7904ed29d0432aa413620f3f168d09498074adbd0f37f2536e1fb6
Instruction Fuzzy Hash: 14B206F3A0C214AFE304AE2DDC8567ABBE9EF94720F16493DEAC4C7744E63558018796

Function 00E3E35B Relevance: 6.5, Strings: 5, Instructions: 295COMMON

Download Yara Rule

Strings

r, xrefs: 00E3E385
U\, xrefs: 00E3E5AA
Zb, xrefs: 00E3E59F
frogs-severz.sbs, xrefs: 00E3E752
Lk, xrefs: 00E3E749, 00E3E750

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: Lk$U\$Zb$frogs-severz.sbs$r
API String ID: 0-2060998389
Opcode ID: 079a35e63325f2e30cf7d8af275224eaa62f735f71b83ec5233fdeaf99334438
Instruction ID: 6cefe15e9d187484b0a5164a96d89ef55ee707c065e5b633c6f325d4446c286a
Opcode Fuzzy Hash: 079a35e63325f2e30cf7d8af275224eaa62f735f71b83ec5233fdeaf99334438
Instruction Fuzzy Hash: 8DA1AC7010C3D18AD7758F25C4987EBBFE1AB93308F189A9CD0E95B282DB394506CB57

Function 00E39210 Relevance: 6.5, Strings: 5, Instructions: 269COMMON

Download Yara Rule

Strings

7514, xrefs: 00E392DC
84*6, xrefs: 00E392FC
)=+4, xrefs: 00E392E4
57, xrefs: 00E39229
N, xrefs: 00E39230

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: )=+4$57$7514$84*6$N
API String ID: 0-4020838272
Opcode ID: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
Instruction ID: 63a7b4c8d2f20fae46ae3be8122a5f5fa35bea33de4fe91b7ad6dca6a1af3b9e
Opcode Fuzzy Hash: be85e90a30f89c364b58cec467ad0dcda84538ec37489d1a8be0575a1ed0ed84
Instruction Fuzzy Hash: 2B71B57110C3C28BD315CB29C4A437BFFE19FA2309F18599DE4D65B282D7B9890AC752

Function 00E50870 Relevance: 5.9, Strings: 4, Instructions: 861COMMON

Download Yara Rule

Strings

+2/?, xrefs: 00E50C19
BBSH, xrefs: 00E50C90
GZE^, xrefs: 00E50C7C
=79, xrefs: 00E50C2E

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: +2/?$=79$BBSH$GZE^
API String ID: 0-3392023846
Opcode ID: ac8bef0bceb8bddc6f311b1ec6df6366006626790c564ce37448f18e7080ccee
Instruction ID: fbd780e702a4be1e667e66abf7bb9db8a6e755d2989d42587d6ed93d989bddaa
Opcode Fuzzy Hash: ac8bef0bceb8bddc6f311b1ec6df6366006626790c564ce37448f18e7080ccee
Instruction Fuzzy Hash: A152E270504B418FC735CF39C890766BBE1BF96314F149A6DD8E69BB92CB35A80ACB50

Function 00E3B210 Relevance: 5.5, Strings: 4, Instructions: 464COMMON

Download Yara Rule

Strings

=>?, xrefs: 00E3B69F
_o]a, xrefs: 00E3B482
TgXy, xrefs: 00E3B496
H{D}, xrefs: 00E3B4A0

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: H{D}$TgXy$_o]a$=>?
API String ID: 0-2004217480
Opcode ID: 06a2db13f6102a99b693d2a72c500e1a46e6237b264280a67fbe92d876f2360e
Instruction ID: 47e474a8dc08d8d0c03c757fa6243f56ba9a8ec6b06fc1fe685c83f61f976413
Opcode Fuzzy Hash: 06a2db13f6102a99b693d2a72c500e1a46e6237b264280a67fbe92d876f2360e
Instruction Fuzzy Hash: 0E1256B1610B01CFE324CF26D895B97BBF5FB45314F048A1DD5AA9BAA0CB74A449CF80

Function 00E57E20 Relevance: 5.5, Strings: 4, Instructions: 461COMMON

Download Yara Rule

Strings

a{, xrefs: 00E57F51
=:;8, xrefs: 00E583E6
=:;8, xrefs: 00E58194
kp, xrefs: 00E57F67

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: =:;8$=:;8$a{$kp
API String ID: 0-2717198472
Opcode ID: b32ae7c69a0897e0c27ddd5bc35d6612b9232a968b4cab5e6f42f65e21397c5a
Instruction ID: a920c5e52c36f559c760bbed42c82075f9dfa62ecfb17dbc0578275d0665f3f0
Opcode Fuzzy Hash: b32ae7c69a0897e0c27ddd5bc35d6612b9232a968b4cab5e6f42f65e21397c5a
Instruction Fuzzy Hash: C2E1CDB550C340CFE320CF25D98176BBBE1FBC9308F14982CE999AB295DB749849CB42

Function 00E3AD00 Relevance: 5.4, Strings: 4, Instructions: 424COMMON

Download Yara Rule

Strings

lPLN, xrefs: 00E3AD12
IK, xrefs: 00E3ADA1
svfZ, xrefs: 00E3AD62
@A, xrefs: 00E3AEE0

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: @A$lPLN$svfZ$IK
API String ID: 0-1806543684
Opcode ID: 87e407169746dd959c9b5daf58865a25a0f8bb22fd34b8196b69965dcc3ccf1c
Instruction ID: d881822ae5c780e346505ff153c4fde86bfad1d01a2f555fd4124dcb499f641c
Opcode Fuzzy Hash: 87e407169746dd959c9b5daf58865a25a0f8bb22fd34b8196b69965dcc3ccf1c
Instruction Fuzzy Hash: 9CC1387164D3848BD3288E2484A53AFBFE2EBC2704F18D92CE5E65B341D7758C09DB82

Function 00FFEF12 Relevance: 5.4, Strings: 3, Instructions: 1632COMMON

Download Yara Rule

Strings

lM0l, xrefs: 00FFFA0A
rjn_, xrefs: 00FFF5D0
Ps^, xrefs: 00FFF880

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: Ps^$lM0l$rjn_
API String ID: 0-60988864
Opcode ID: ef754bc86a1c52c794b513632a3c18bc270bdf7bc4f2d221acc1015c0f54649d
Instruction ID: 006fc08be63ad18bd429a90ec7e5933dd1f7cb4b65d8176015e372a877164f54
Opcode Fuzzy Hash: ef754bc86a1c52c794b513632a3c18bc270bdf7bc4f2d221acc1015c0f54649d
Instruction Fuzzy Hash: 63B218F3A0C2009FE7046E2DED8567ABBE9EF94320F1A863DE6C5C3744E93559018796

Function 00E55E90 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

@J, xrefs: 00E55EF1
ra, xrefs: 00E56160
KP, xrefs: 00E55EEA
VD, xrefs: 00E55EE3

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: @J$KP$VD$ra
API String ID: 0-3014653992
Opcode ID: 4ac9666c7c4b3cb0f0ea9e6bd6da1894190e24b235d9d6625115f957e4716573
Instruction ID: c40a8632b223b6a75fbd96af12662d8ccd64c8271b594768ae109860cc71a7d4
Opcode Fuzzy Hash: 4ac9666c7c4b3cb0f0ea9e6bd6da1894190e24b235d9d6625115f957e4716573
Instruction Fuzzy Hash: E991A772704B019FD720CF68DC81BABBBB1FB81300F14552CE599AB781C374A85ACB92

Function 00E34040 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

IEND, xrefs: 00E344AC
), xrefs: 00E340BC
), xrefs: 00E340C6

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: bcd52bcbb2e425e3ebf4e851f112801b677176d097a59a3a3b08ff6bfb1a7dea
Instruction ID: 5463efea5249853590209e43d01af102a3dce34eebc4c60b6a5f3373fe401047
Opcode Fuzzy Hash: bcd52bcbb2e425e3ebf4e851f112801b677176d097a59a3a3b08ff6bfb1a7dea
Instruction Fuzzy Hash: 31F1E0B1A087019BE314CF28D85976ABBE0BB94308F04462DFA95AB3D1D775E954CB82

Function 01005BBB Relevance: 4.1, Strings: 2, Instructions: 1648COMMON

Download Yara Rule

Strings

6D?, xrefs: 01006F61
>}*, xrefs: 010069CA

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: 6D?$>}*
API String ID: 0-3552628623
Opcode ID: 5e39d163df8393aef952a99e7b54cb1f5b051e6c4379a608398254d37c51b04e
Instruction ID: f84e116bb9f7bbb01256e00278ddb73998b1b7e5573d164de8ddccd5a27ccbce
Opcode Fuzzy Hash: 5e39d163df8393aef952a99e7b54cb1f5b051e6c4379a608398254d37c51b04e
Instruction Fuzzy Hash: A1B2E7F3A082049FE314AE2DDC8567AF7E9EFD4720F1A853DEAC4C3744EA3558058696

Function 00E35AC9 Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

Y, xrefs: 00E359E1
8, xrefs: 00E355BC
0, xrefs: 00E355C4

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: 0$8$Y
API String ID: 0-3650831924
Opcode ID: 6f737f6340e13ef49a3d5b974dcf4f392b7c6a4f235c82b8911dc55fb894fa78
Instruction ID: 0c6c8b17ddeb6c4c2a966dbbaf018e096782fd734f5d61a01c39ab287c39230c
Opcode Fuzzy Hash: 6f737f6340e13ef49a3d5b974dcf4f392b7c6a4f235c82b8911dc55fb894fa78
Instruction Fuzzy Hash: 7DA11276608780DFD320CF28D844B9EBBE1AB89304F14895CE9C8A7362C775E959CF52

Function 00E3542C Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

Y, xrefs: 00E359E1
8, xrefs: 00E355BC
0, xrefs: 00E355C4

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: 0$8$Y
API String ID: 0-3650831924
Opcode ID: 495e0fa332bccf81244257bdd10a6a81930add0cda713be1a96c081289ab208d
Instruction ID: 00cca85641d7c875acb82b5b7e0fcc1801a5d856cd2a512a5e89a12882679b94
Opcode Fuzzy Hash: 495e0fa332bccf81244257bdd10a6a81930add0cda713be1a96c081289ab208d
Instruction Fuzzy Hash: 97A11176608780DFD320CF28D84479ABBE1AB89314F18895CE9C8A7362C775E959CF52

Function 00FA33F5 Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

7t, xrefs: 00FA3430
!K, xrefs: 00FA3559
*FB, xrefs: 00FA35A2

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: !K$*FB$7t
API String ID: 0-3951377313
Opcode ID: e48a824712e86bd67eebfc584c38dbc1103c5cd1722a953b5bf8bc35b819d423
Instruction ID: d39b05998a3004bf3fad2e52367cf69fb9279f1611a0aaa6b29c800575cc5165
Opcode Fuzzy Hash: e48a824712e86bd67eebfc584c38dbc1103c5cd1722a953b5bf8bc35b819d423
Instruction Fuzzy Hash: BD51F4F3F083145BE354AE2DEC8476BB6D6DBD4320F2B853DDA8893784E8395C058696

Function 00E3C02B Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

A_, xrefs: 00E3C181
PQ, xrefs: 00E3C1A1
IG, xrefs: 00E3C171

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: PQ$A_$IG
API String ID: 0-2179527320
Opcode ID: d003608c9667f9de01e6e485e949a5350e674ee48f1ea8b65024d406ae1d940c
Instruction ID: b32ace5013efac155250a6c2b60363b238dc3796e76ba45d17397e7fc0788555
Opcode Fuzzy Hash: d003608c9667f9de01e6e485e949a5350e674ee48f1ea8b65024d406ae1d940c
Instruction Fuzzy Hash: A6419BB000C341CAC714CF21D85666BBBF0FF96758F24AA0DE0C5AB6A5E774C586CB4A

Function 01035FA1 Relevance: 3.9, Strings: 3, Instructions: 164COMMON

Download Yara Rule

Strings

:du}, xrefs: 01036126
]g, xrefs: 010360C9
<cl, xrefs: 01035FB0

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: :du}$<cl$]g
API String ID: 0-881795885
Opcode ID: 5e88716f653b6ce6960107b8ee8f2bb06ea4e31e0559e4454d830772cca2edfb
Instruction ID: d30286d23177a9f8aaa2f9bedbdf6915b2509b7144c607acd9320f9900f98e14
Opcode Fuzzy Hash: 5e88716f653b6ce6960107b8ee8f2bb06ea4e31e0559e4454d830772cca2edfb
Instruction Fuzzy Hash: B45110B220C704AFD301AE2AED4553EF7E9EFC4720F19892EE5C587604EA3285408B47

Function 00E6F8D0 Relevance: 3.3, Strings: 2, Instructions: 813COMMON

Download Yara Rule

Strings

jC, xrefs: 00E6FAB7
cC, xrefs: 00E6FA5E

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: cC$jC
API String ID: 0-2055910567
Opcode ID: 3e418006ec1862f6e5283bc9b253e6247b0bd136d5b561d90c21663c75f20daf
Instruction ID: 8c24fdf02b360d308e9438df9f1f6ced4a3087a909245ee9ad30039133f6c59b
Opcode Fuzzy Hash: 3e418006ec1862f6e5283bc9b253e6247b0bd136d5b561d90c21663c75f20daf
Instruction Fuzzy Hash: BD420F32B04211CFDB08CF69E8906AEB7F2FB89311F1E957DC95AA7391C6349945CB81

Function 00E6C040 Relevance: 3.1, Strings: 2, Instructions: 624COMMON

Download Yara Rule

Strings

, xrefs: 00E6C167, 00E6C17A
f, xrefs: 00E6C271

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: f$
API String ID: 2994545307-508322865
Opcode ID: 1365fba0dc9f1f249ece80276999a5edae0467d6ceb216bf8d714d9f5b36cf32
Instruction ID: 95ae44577adb121641ded755ac4695f0379c0240ffb67bdfb286c996b78715f2
Opcode Fuzzy Hash: 1365fba0dc9f1f249ece80276999a5edae0467d6ceb216bf8d714d9f5b36cf32
Instruction Fuzzy Hash: D912F47064C3418FD714CF29D890A3BBBE2AFC5358F24AA2CE5D5A72A2D731D845CB52

Function 00E624E0 Relevance: 2.8, Strings: 2, Instructions: 254COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00E62591
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00E625D2

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-2492670020
Opcode ID: bab237cf513fdf0c25049fa373ea91226e474a219cb2a937e224baaf1344813a
Instruction ID: 434e86e609170e2f38c24b932ba40a6abd8231f617669a4310c6538e76e60122
Opcode Fuzzy Hash: bab237cf513fdf0c25049fa373ea91226e474a219cb2a937e224baaf1344813a
Instruction Fuzzy Hash: D0815C33A48A914BCB24CD3CAC512ED7B925F573B0B2D93ADD672BB3D5C1248D058351

Function 00F28E39 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Rq~W, xrefs: 00F28FAC
#f/f, xrefs: 00F28F08

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: #f/f$Rq~W
API String ID: 0-3899423331
Opcode ID: d487f34b8f39c39e844f24b151e1ebd611a0f4763f642cc3ccaeb15ed8e9687c
Instruction ID: 49042ed0f0eea2969d3f7920741c4241cb95801702fe5087129a4030cbc3a1cb
Opcode Fuzzy Hash: d487f34b8f39c39e844f24b151e1ebd611a0f4763f642cc3ccaeb15ed8e9687c
Instruction Fuzzy Hash: 81514AF360D2049FE30CAA2DEC9577AF7DAEBD4320F26463ED68583380DD7558054256

Function 00E3E970 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

efg`, xrefs: 00E3E8E0
efg`, xrefs: 00E3E990

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: efg`$efg`
API String ID: 0-3010568471
Opcode ID: 130b3fa59292ea1ca94779bceb641b38feac21539070d473c795949311fb1d59
Instruction ID: 9db426b69dd78fe5c6e0e87825169085f0b9fc0ca02f8ae70918a4fb7e0f5316
Opcode Fuzzy Hash: 130b3fa59292ea1ca94779bceb641b38feac21539070d473c795949311fb1d59
Instruction Fuzzy Hash: 3531B632A083508BD328DF51D59569FBBA2BFD4304F5A642CE9C677355CA309D0AC7D2

Function 00E58CB0 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

st@, xrefs: 00E591A4, 00E591E4, 00E59206, 00E5920A

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: st@
API String ID: 0-3741395493
Opcode ID: e31093b00da9e08712d051382d32c190fec2a872ae0a0f692c710407bc07f919
Instruction ID: 700941fcc424289fa20fbe02de75076f6e723a888577960ced1ef08c86c127b7
Opcode Fuzzy Hash: e31093b00da9e08712d051382d32c190fec2a872ae0a0f692c710407bc07f919
Instruction Fuzzy Hash: C4F146B150C381CFD304CF25D85026BBBE2AF9A304F18986DE9C5A7292D775D94DCB92

Function 00E58770 Relevance: 1.7, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

=:;8, xrefs: 00E587FC

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: =:;8
API String ID: 2994545307-508151936
Opcode ID: 3546e43f811631f6784454959e9fbe29d35522a4796066690923b76d16a21da8
Instruction ID: 3e597c9c7d75bf0670de353f43264b3aaf9d033e45ddefd97fc597c7d0e1cb27
Opcode Fuzzy Hash: 3546e43f811631f6784454959e9fbe29d35522a4796066690923b76d16a21da8
Instruction Fuzzy Hash: 19D16F72A483118BD714CA24CD81277B792EFC5309F19A97DDC857B392DE749C0AC791

Function 01004EAD Relevance: 1.7, Strings: 1, Instructions: 463COMMON

Download Yara Rule

Strings

o8}w, xrefs: 010050F2

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: o8}w
API String ID: 0-1015639877
Opcode ID: 1c199de8f72f27c5cded275929a5da253b536c9c7586918782628200b7368b40
Instruction ID: 159981a168494526df62885b7484b5ba4129f8f00cd0ea578d4d521dab8ccdf5
Opcode Fuzzy Hash: 1c199de8f72f27c5cded275929a5da253b536c9c7586918782628200b7368b40
Instruction Fuzzy Hash: 1AE1E2F3A086009FE300AE69EC8576AB7E5EF94720F1A493DEAC4C3744E63598158797

Function 00E49530 Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

efg`, xrefs: 00E498E5

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: efg`
API String ID: 0-115929991
Opcode ID: c30ad75b30a5c567b35b637067ece4a4f2f60f1dde51f784ef5788e9774544fd
Instruction ID: 377f5d6291b9ddc8d53696ffc4eafa365f26143d5484248c0cde59594ff5b976
Opcode Fuzzy Hash: c30ad75b30a5c567b35b637067ece4a4f2f60f1dde51f784ef5788e9774544fd
Instruction Fuzzy Hash: 80C12471900215CFCB28CF68EC92ABB73B4FF49318F195158E956B7292F734A945C7A0

Function 00E70F60 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00E70FBA

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: eb7b43fb4e854e24130688f28f17468acf3192ce2b3cdfce21a79f93136331cb
Instruction ID: d28564550494d6d50aaac2fff7f55460f3bf295ce661e30b4e25b559d4ee0ef4
Opcode Fuzzy Hash: eb7b43fb4e854e24130688f28f17468acf3192ce2b3cdfce21a79f93136331cb
Instruction Fuzzy Hash: 4981AD352083418BC718DF1CD890A2AB7F2FF99754F05A5ACE989AB365D731EC51CB82

Function 00E361A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00E362D6

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
Instruction ID: d611ec7cb4e26a3642ff6e87250c22554a08fb4f6164ea3c0b08e99b69743c03
Opcode Fuzzy Hash: 8b04fab32ec0b8383da590e4bd15150657e1dcf751765b097a457d664c512576
Instruction Fuzzy Hash: 9DB148701083819FD321CF68C89465BFFE0AFA9708F448E2DE5D997342D671E918CBA6

Function 00E6BCE0 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

5|iL, xrefs: 00E6BED0

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: 5|iL
API String ID: 2994545307-1880071150
Opcode ID: 0a43f8c81a63b8acc659770154f2ce5fc5747d149df4951edca50fa0442393ba
Instruction ID: 17909b09808c5099915c6fb9277bc02cfb698fb2d8c143eda0b7db1e92e9a00f
Opcode Fuzzy Hash: 0a43f8c81a63b8acc659770154f2ce5fc5747d149df4951edca50fa0442393ba
Instruction Fuzzy Hash: 04710A32B483108FC7148F299C80667B7B6EBC5364F15A66CE995FB265C371DC828BD1

Function 00E3E0D8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

efg`, xrefs: 00E3E100

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: efg`
API String ID: 2994545307-115929991
Opcode ID: 0e18b220f3d375be1b04d33828698356e20ca3a7d00553381fd757fe00d6b71e
Instruction ID: 9f24d5f898e2acbe9797bdc6a0ab405e98a65343425d06531148c2a2654ab608
Opcode Fuzzy Hash: 0e18b220f3d375be1b04d33828698356e20ca3a7d00553381fd757fe00d6b71e
Instruction Fuzzy Hash: 57512772A043504BD720EB619C867AF7AA3AFD0304F196828E98D77352DF306A06C7D3

Function 00F94EAB Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

jA~_, xrefs: 00F94FD3

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: jA~_
API String ID: 0-1324300177
Opcode ID: c739209aa920682ba37ee5c00bd2cf78334728c505c7ee444a0e2cce1248f737
Instruction ID: d6f95add69c52098d1d816ee8396e7eb2ec77c5d50f57d553fa7151daf7fbc82
Opcode Fuzzy Hash: c739209aa920682ba37ee5c00bd2cf78334728c505c7ee444a0e2cce1248f737
Instruction Fuzzy Hash: BD4138F3E082045BE30C9A2CEC597B3BACAD7D4720F1A823EEA45D77C4F97619058295

Function 00F57400 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

mmo, xrefs: 00F574FB

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: mmo
API String ID: 0-2826062500
Opcode ID: 74a25d17a427e975090f488ef07b3d612a79ee15df0703cc2b3bf007dd3d5c7f
Instruction ID: ebdc019680bedf9a44466324cc0e98341f286feb7eabd7b1ce27fbab30be763f
Opcode Fuzzy Hash: 74a25d17a427e975090f488ef07b3d612a79ee15df0703cc2b3bf007dd3d5c7f
Instruction Fuzzy Hash: 1F4128F37082045BE314AE29EC8577FF7D9EB94320F1A863DEAC5C3740E939A8158656

Function 00E3EA38 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

D, xrefs: 00E3EC76

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 8dabe60ac504a56925d4d20c84bc4e0c8c3ba50412e13717db14213367105ab6
Instruction ID: 8ddfd35a8bad07c376738f5e3fa92e80e864487d1f368adb33d21965f57b99ed
Opcode Fuzzy Hash: 8dabe60ac504a56925d4d20c84bc4e0c8c3ba50412e13717db14213367105ab6
Instruction Fuzzy Hash: 965100B05493818AE7208F12C86575BBBF1FF91748F20980CE6D92B3A4D7B59849CF87

Function 00E377D0 Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
Instruction ID: a81b93cccdc9443b8b4b6b0182edd6b18dd6a9c4b56410f5817f700b09a4a239
Opcode Fuzzy Hash: a9e56e85d3793a0f4e761ff8f8362607d8bf849bd197acd1c0af18c6b7dbfe6d
Instruction Fuzzy Hash: A242047160C3158BC724DF28E8842AAB7E2FFC4308F25A92DD9D6A7385D734E855CB42

Function 00E36CC0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf16c94d4b14380c07e174377fb8d98b1e35c67609cf3a53e43700734b5d4b5
Instruction ID: 9fcea55cbbc78f8088bdd9e285ada0a8edaaae1da709d096eb8be15e0d8037f9
Opcode Fuzzy Hash: bbf16c94d4b14380c07e174377fb8d98b1e35c67609cf3a53e43700734b5d4b5
Instruction Fuzzy Hash: A852D8B090CB889FEB34CB34C49C7A7BFE1EB91318F14681DD5D616782C2B9A985C751

Function 00E32B80 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d399a6aeb5d2710f33bb9fa76c9c241e8b19409a1bbea50a3c8d594f13876128
Instruction ID: 6b4b7feec443e71a1789ef001c9e247f48d37c44090401725472c4386422fc00
Opcode Fuzzy Hash: d399a6aeb5d2710f33bb9fa76c9c241e8b19409a1bbea50a3c8d594f13876128
Instruction Fuzzy Hash: 0052C1315083458BCB15CF29C084AEABFE1FF88318F199A6DE8D96B351D774E949CB81

Function 00E33580 Relevance: .6, Instructions: 631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ab492a140ffb345a3f4b495ae6f795da4c2eb4a85d8dcac45977b8f50b7863
Instruction ID: 22af86db3c1f42d26be40be9f849f32830a8c9087c934347e8f856ab2c9d371b
Opcode Fuzzy Hash: 01ab492a140ffb345a3f4b495ae6f795da4c2eb4a85d8dcac45977b8f50b7863
Instruction Fuzzy Hash: F44234B1914B108FC328CF29C594966BBF2BF85710B645A2ED697A7F90D736F940CB10

Function 00E35C90 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
Instruction ID: 19936ff30543274bee2f6129e7e44e2f5cc243ef8ba5104409657627af612a93
Opcode Fuzzy Hash: 21a1d6e3d5ba60b3bd1d97c05962dbaf1adc3ce7802fd18f61ea84a3f4fb9068
Instruction Fuzzy Hash: 33F19A712087419FC728CF28C885A6BBFE2EF94304F44992DE4D997792E731E944CB96

Function 00E36840 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
Instruction ID: 9da0a8abc337f8cb26799520c1bae3e077b5fd17429393a035a34722ddd9b555
Opcode Fuzzy Hash: 86e445ca3b438742181d2dbf2e8c100afcf3d334dfe90873b41fa4f189d33e65
Instruction Fuzzy Hash: 55C18CB2A083418FC364CF78C89679BBBE1BF84318F088A2DD5DAD7341E678A545CB45

Function 00E687B0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
Instruction ID: fa0de87755476df21869175245b346e1d3eb3e5e8e01a1dd42f677cb894ae8ae
Opcode Fuzzy Hash: 5ba1380cb9152e7cdc994e456a920f27018b5a696dcda6c5b24acc876655b729
Instruction Fuzzy Hash: 92B12872D086D08FDB11CA7CC9843997FA26B97360F1DC395D9A5AB3CAC6354806C3A2

Function 00E71580 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82118adb06de2fbc9cd38bb554e5e06f3087909789dbba6e9543369a05c84f21
Instruction ID: d171b290da4c6559c9bdc2fb529e898e10aaffe298bae4ef6c54f8e25e55b61a
Opcode Fuzzy Hash: 82118adb06de2fbc9cd38bb554e5e06f3087909789dbba6e9543369a05c84f21
Instruction Fuzzy Hash: 8681F27160C3418FD718DF68E850A2BB7E2EF89314F08987CE99AE7291E674DC45C792

Function 00E6C780 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6072e1bed2d6b44526a78fad9467e880b81cfc41aba3bed047edfeb60b1bd4
Instruction ID: f0b813bf27a085d45c91a9f1a69da96483baa9e3151930cfa11a9c7dc7e0f067
Opcode Fuzzy Hash: 4f6072e1bed2d6b44526a78fad9467e880b81cfc41aba3bed047edfeb60b1bd4
Instruction Fuzzy Hash: 23A1233164C3904FC325CF28D49063ABBE2AFD6358F29C66DE4E59B392D634AC41CB52

Function 00E4FB60 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7599ad94e0edc555163e84f2b64188d765e4002c3c5e6bd98544d4921d658a
Instruction ID: 430704cd8fd01207989e516546f4fdf3fa3a6ad03d83dd6e655a64a2600172c6
Opcode Fuzzy Hash: 9d7599ad94e0edc555163e84f2b64188d765e4002c3c5e6bd98544d4921d658a
Instruction Fuzzy Hash: DE913C32E042614FC726CE28D85036ABBD1ABD5724F19C27DE8B9AB392D674CC46C3C1

Function 00E70C80 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9ec390e38bfad25af3e826575af42d8ec77456e83127df17a37f1ad73a92a10
Instruction ID: 05944e08c4bc3ed386ffc26f99f46fa60b48d4c76ca8b7af6fc9239f2bea0407
Opcode Fuzzy Hash: f9ec390e38bfad25af3e826575af42d8ec77456e83127df17a37f1ad73a92a10
Instruction Fuzzy Hash: F0710335608341DBDB24DB28D850A2FB7E2FFD8714F19E92CE589EB264E7309851C742

Function 00E641D0 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fd33168efe3bcd3b98e263152c7971aa97d4fedb0b190e03436ec8d3badd9e
Instruction ID: 29348db8ffb09a3f4cd2e1363327689efadcd5edcf5ad75c3e558c07e6e5afed
Opcode Fuzzy Hash: 39fd33168efe3bcd3b98e263152c7971aa97d4fedb0b190e03436ec8d3badd9e
Instruction Fuzzy Hash: B6716DB3B954904BCB1C897D6C122E9AA874BD237473ED37ADC75F73E1D9298D054240

Function 00FBCC55 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daedd777f64b04972b3060de65de1daef88e1f7c66fd57610b903c5406cb70d6
Instruction ID: 779960acb6121418ae9acd2604bdc0d275d6db7e6f9349214e11c9f4544591ff
Opcode Fuzzy Hash: daedd777f64b04972b3060de65de1daef88e1f7c66fd57610b903c5406cb70d6
Instruction Fuzzy Hash: 297106F3A086008FF304AE2DDC8177AB7E6EF94310F1A893DDAC4C7784DA7998558646

Function 00F969DB Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0af53631d5015b9857a7b510d6fb1167cc1e5916a193496ba68d716629d1bf
Instruction ID: ab17d96649fcb56753e3889204addafd007bf4724d0a06b3b632cfb38b00a265
Opcode Fuzzy Hash: bc0af53631d5015b9857a7b510d6fb1167cc1e5916a193496ba68d716629d1bf
Instruction Fuzzy Hash: 35716CF3E182105BE3045E3CDD947B7BBD5EB98360F2A853EEA84D7748E53998024396

Function 00EACFE0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94de03b9a85b20ee7e25aac868cd1cdb3acf4d4b8d7157f3d1a86b82af1c3e61
Instruction ID: 2c6f1d54d62f6228363011dcfc4084f0ab987d80c35c613701f37c07e30aebc6
Opcode Fuzzy Hash: 94de03b9a85b20ee7e25aac868cd1cdb3acf4d4b8d7157f3d1a86b82af1c3e61
Instruction Fuzzy Hash: E36106F3E085209BE3006A2CDD4476ABBD6EBD4320F1B863DEED893784E539590587C2

Function 00F1413B Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf48ffc5dbf76bbad2d1903073c5bb2f3258699595fa9719451ba2461e91d78
Instruction ID: e32b91b575e21d7fb0615c825a771759686037a407f6732ff87115f2db7cb34e
Opcode Fuzzy Hash: 4cf48ffc5dbf76bbad2d1903073c5bb2f3258699595fa9719451ba2461e91d78
Instruction Fuzzy Hash: A46116F3B082045FE7096D7DDC8576AB7DAEBD8320F2A463DDA84C3384E97958058692

Function 00E6B8E0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b8419c14db64e5e4099f0e1c9cc6c37ecd4bca5bcd3926b1a0ff0815880e5d63
Instruction ID: a8b80cf2ee0e1f175fc172558fe6b11f9291dd57e11b540b39817b742a11bc22
Opcode Fuzzy Hash: b8419c14db64e5e4099f0e1c9cc6c37ecd4bca5bcd3926b1a0ff0815880e5d63
Instruction Fuzzy Hash: 54514732A483108BD320DF29AC4066BB7A2EFD5764F29E62CD9D5B7355E3319C828781

Function 00F874BA Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a42c4f60d8ae61d1d039d146cbf70fc64169243dc51a748f60dfae04f2015b
Instruction ID: e6781baa677abfab200be430eb4a6c503fdd0491809fb5f4fe12b7c4fc7b13d8
Opcode Fuzzy Hash: 44a42c4f60d8ae61d1d039d146cbf70fc64169243dc51a748f60dfae04f2015b
Instruction Fuzzy Hash: 96715BB3E1112547F3944D24DC583A27682ABA5320F2F42788E9CAB3C5D93F5D4A53C4

Function 00E50650 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e9c30039f59c7956cfefc276f63c0e2c2847ff724a5105235bb53487b4297c
Instruction ID: ae566f91e434e663a4a51368ed6d04324746ff3383d08917611a6bad5961cf14
Opcode Fuzzy Hash: 24e9c30039f59c7956cfefc276f63c0e2c2847ff724a5105235bb53487b4297c
Instruction Fuzzy Hash: 73517A37A0A9D04FC7248D3C1C112E95A530BEA334B3E576BECB4BB3E1C5668D0A9390

Function 00EB0511 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb93b99be6f86b36ff1d06472ce7ac0a94512138c376b9445d6efd9b3a12defb
Instruction ID: 0a3ac487cba31032fb88f88cd6198d736070b33dd83151143d6e0224e5dd7567
Opcode Fuzzy Hash: fb93b99be6f86b36ff1d06472ce7ac0a94512138c376b9445d6efd9b3a12defb
Instruction Fuzzy Hash: 615123F3E087284BE304BA6DDC8536AB6D5EB54320F2B453CEB8597780F979580187C6

Function 00F76A05 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b14f4cb1dc7f7d77bb7720dda87e8b8f455269b68710110d1e8d76b95887b2
Instruction ID: fa0e0b21e463c8a34036ebc0d8ae327b6b25970b2782ff9c0619e04077c634b6
Opcode Fuzzy Hash: 02b14f4cb1dc7f7d77bb7720dda87e8b8f455269b68710110d1e8d76b95887b2
Instruction Fuzzy Hash: CE51F3F3A181009FE704AE29DC4577AB7E6EFD4320F26863DDBD483784DA3858448696

Function 00EF3056 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd2adcb8e7b03a2462494b69697df4f6a0fa1ac647ae59fba19fc72d205ac19
Instruction ID: a2f8e2d84ccb041ece526b5a5f5d57afa27534ed1c551af7426daa46c455fbf1
Opcode Fuzzy Hash: bbd2adcb8e7b03a2462494b69697df4f6a0fa1ac647ae59fba19fc72d205ac19
Instruction Fuzzy Hash: 93415BB3E082149FF7146E79EC8577A77D9EB84320F1A463DEA84CB784F57A5C018282

Function 00E51790 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4f35c18a744dc0badb269d1405f78b6dc7789ffa19e1566ae0e333f6ad5e50
Instruction ID: 292b83036f152d80b41fa92ca36e9ca0b037b46d0ff176241669f8e631ff093b
Opcode Fuzzy Hash: ec4f35c18a744dc0badb269d1405f78b6dc7789ffa19e1566ae0e333f6ad5e50
Instruction Fuzzy Hash: 21413631B09344AFD314DF69AC82B5B7BE8EB8A318F04987DF949D3291D6349849C752

Function 00F712C6 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c4ebac096dc4801c75c2a8d4d2968d16f16cdca899a32ccbf8c2cea1e1667a
Instruction ID: c9d45800fb29abb98d9018d93fd3dd30c4f91e779716d2a17fac6472d6e0d29c
Opcode Fuzzy Hash: 17c4ebac096dc4801c75c2a8d4d2968d16f16cdca899a32ccbf8c2cea1e1667a
Instruction Fuzzy Hash: B141A1F3A083049BE714BE29DCC576AB7E5EBD8310F16853CDBC487784EA7568048687

Function 00F67AB4 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65caa3a383b369f6c914635bb7d7b7102519f6658dd6a74cbe6bc506dd94bc19
Instruction ID: cd4e275079b9bd436a68a95b1cb62d58d53567661433201beb05a28fe8ca5cc0
Opcode Fuzzy Hash: 65caa3a383b369f6c914635bb7d7b7102519f6658dd6a74cbe6bc506dd94bc19
Instruction Fuzzy Hash: EF4119F3E051009FE3006E29DC85B6AB796EBD5324F2F853DDAC893784E9395C058792

Function 00E627B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ea625c9db1be0315bbb620a322891fcf28e3ed3ffdd13671137fab19214d32
Instruction ID: e80cb53150e1c3307131e2544a090b7eab845607d950fcd430b1e9df913b442b
Opcode Fuzzy Hash: 23ea625c9db1be0315bbb620a322891fcf28e3ed3ffdd13671137fab19214d32
Instruction Fuzzy Hash: B0817EB458A3848FC379CF15DA9D68BBBE4BBE9304F50991D898C6B350CBB01449CF96

Function 00FC1C90 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183cabbb89790ec3d6ac9ac051da932962cd5022320c3c4251f7ef47c0dd02e4
Instruction ID: bec3f39beeb8b1f73c408bb04b1ca4e81f95460ee25d4e46b1289c27c884d381
Opcode Fuzzy Hash: 183cabbb89790ec3d6ac9ac051da932962cd5022320c3c4251f7ef47c0dd02e4
Instruction Fuzzy Hash: 6731C4B36086049FE3056E29DC45B7FBBE6EBD4720F0A492DE9C0C7704EA3598428793

Function 00E327D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fd47e560d0badb8f74274cecbbd9133b49827162a38d0a2691935eab925e55
Instruction ID: aa054e07d37a6be18b5d065575b9c048966480998f73c9bf2ff8bce7b9b55893
Opcode Fuzzy Hash: e1fd47e560d0badb8f74274cecbbd9133b49827162a38d0a2691935eab925e55
Instruction Fuzzy Hash: CD11E737B256214BF364CE7AECD86576752FBC9314B1A013CEF85FB202C622E845D191

Function 00E3BC9D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37e930d28a970ee30c6ba7cce94fe542c710425b5aa9c9eaa3b0aa9d1b10922
Instruction ID: 01a0474f6809b6cdf82d8fe9b64d10cde15dba69bd0742d1c83d393b25a86ef4
Opcode Fuzzy Hash: a37e930d28a970ee30c6ba7cce94fe542c710425b5aa9c9eaa3b0aa9d1b10922
Instruction Fuzzy Hash: 2EF0A77161C3815FD728CB25D89563FBBB1EB87614F10551CE3C6E3292EB61D8468B09

Function 00E6B860 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1345435651.0000000000E31000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000005.00000002.1345418655.0000000000E30000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345435651.0000000000E75000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345483018.0000000000E87000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000000E89000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001019000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.00000000010F3000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.000000000111F000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345498185.0000000001137000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345726488.0000000001138000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345829724.00000000012D8000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1345858295.00000000012D9000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5483426b551666e9571fc8dee49318e4b93d980574afb4e4f73a4b978d69e9d6
Instruction ID: 51a88377f5969e6c852d1403666853713d632066a1cbec0f3b9fd843aea48dca
Opcode Fuzzy Hash: 5483426b551666e9571fc8dee49318e4b93d980574afb4e4f73a4b978d69e9d6
Instruction Fuzzy Hash: CEB09250A042087F11289D0A8C45D7BB6BE96CB640B106008A408A3215D650EC0882FA

Source: https://frogs-severz.sbs/w	Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/api	Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apin	Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/	Avira URL Cloud: Label: malware

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49705 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 104.21.88.250:443

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49705 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49707 -> 104.21.88.250:443

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [eax], bl	5_2_00E3CF05
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, eax	5_2_00E6B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	5_2_00E6B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+14h]	5_2_00E398F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	5_2_00E6F8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, eax	5_2_00E6F8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h]	5_2_00E3E0D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push eax	5_2_00E6B860
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	5_2_00E50870
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh	5_2_00E6C040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh	5_2_00E6C040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h	5_2_00E6C040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh	5_2_00E6C040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	5_2_00E3C02B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+14h]	5_2_00E3E970
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], cx	5_2_00E3EA38
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h]	5_2_00E3E35B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h	5_2_00E6BCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], cl	5_2_00E58CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ebp	5_2_00E35C90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ebp	5_2_00E35C90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	5_2_00E3BC9D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx]	5_2_00E3AD00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [edi]	5_2_00E55E90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h]	5_2_00E377D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax	5_2_00E377D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch]	5_2_00E70F60

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
file.exe

Function 00E69030 Relevance: 21.6, APIs: 5, Strings: 7, Instructions: 629
memoryCOMMON

Function 00E3CF05 Relevance: 18.1, Strings: 14, Instructions: 574
COMMON

Function 00E389A0 Relevance: 1.8, APIs: 1, Instructions: 252
COMMON

Function 00E6DF70 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00E6B7E0 Relevance: 1.5, APIs: 1, Instructions: 49
memoryCOMMON

Function 00E3CEB3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 00E3CE80 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 00E3D7D3 Relevance: 1.3, APIs: 1, Instructions: 8
COMMON