Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1559921
MD5:	b6232971846816075fb9476cb82148fb
SHA1:	32fdc8249eb381bdc6733092b6be00d3bdab5d2e
SHA256:	1a1fa8992c84f43a7d642d63ccbc350eccf35263a9aa097709ad75fa13bc69d7
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B6232971846816075FB9476CB82148FB)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 54%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1429538509.0000000004D90000.00000004.00001000.00020000.00000000.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000FD994		0_2_000FD994
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F520		0_2_0026F520

Source: file.exe, 00000000.00000002.1563253184.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1400798345.00000000000F6000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 54%

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: \RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeV

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2772480 > 1048576

Source: file.exe

Static PE information: Raw size of jbjemqme is bigger than: 0x100000 < 0x29ec00

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.f0000.0.unpack :EW;.rsrc:W;.idata :W;jbjemqme:EW;ploemuvx:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2abce4 should be: 0x2af311

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: jbjemqme
Source: file.exe	Static PE information: section name: ploemuvx
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F8F1 push ebp; mov dword ptr [esp], 6EDEFB3Ah	0_2_0026F90D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F8F1 push ecx; mov dword ptr [esp], esi	0_2_0026F933
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F8F1 push edi; mov dword ptr [esp], 77A98CE4h	0_2_0026F968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F8F1 push ecx; mov dword ptr [esp], 594E651Bh	0_2_0026FA18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027BE84 push edx; mov dword ptr [esp], 426721DFh	0_2_0027D7B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000FE80E push edx; mov dword ptr [esp], ecx	0_2_000FEA75
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00100812 push edi; mov dword ptr [esp], ebx	0_2_00100844
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00100812 push edi; mov dword ptr [esp], 6FF25F30h	0_2_00101479
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00100812 push 25CE6358h; mov dword ptr [esp], ebp	0_2_001035F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027A03D push eax; mov dword ptr [esp], ebx	0_2_0027A040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0010100E push 2CE77462h; mov dword ptr [esp], ecx	0_2_001016C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0010100E push 7BD31BA3h; mov dword ptr [esp], esi	0_2_0010265A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027C005 push 2F13232Fh; mov dword ptr [esp], ecx	0_2_0027D400
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030B87A push ebx; mov dword ptr [esp], 2BF6DE0Fh	0_2_0030B8AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0030B87A push edi; mov dword ptr [esp], ebp	0_2_0030B8CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027006C push eax; mov dword ptr [esp], 7DBF624Dh	0_2_002700BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027006C push ebp; mov dword ptr [esp], 7BFF617Ah	0_2_00270117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027006C push 4B19121Ah; mov dword ptr [esp], ecx	0_2_0027019B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0010085C push ecx; mov dword ptr [esp], edi	0_2_00101DF4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00270873 push 0FD8ADE9h; mov dword ptr [esp], eax	0_2_002708AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00270873 push 631C0AD1h; mov dword ptr [esp], ebx	0_2_002708D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026D0BC push edi; mov dword ptr [esp], 3B8F847Fh	0_2_0026D155
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026D0BC push 06370620h; mov dword ptr [esp], ecx	0_2_0026D256
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002740BD push 08235B1Ch; mov dword ptr [esp], eax	0_2_00274185
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001010B3 push ecx; mov dword ptr [esp], 477F9167h	0_2_00103782
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00270084 push eax; mov dword ptr [esp], 7DBF624Dh	0_2_002700BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00270084 push ebp; mov dword ptr [esp], 7BFF617Ah	0_2_00270117
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00270084 push 4B19121Ah; mov dword ptr [esp], ecx	0_2_0027019B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001018A4 push eax; mov dword ptr [esp], 5F0B7645h	0_2_001018D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002D20F4 push ebx; mov dword ptr [esp], edi	0_2_002D20E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001030C9 push 0C5ACD71h; mov dword ptr [esp], esi	0_2_001030DB

Source: file.exe

Static PE information: section name: entropy: 7.792497844647016

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDFEF second address: FD8A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp], eax 0x00000007 jmp 00007FCCF0DBDCDEh 0x0000000c push dword ptr [ebp+122D16F5h] 0x00000012 or dword ptr [ebp+122D2D1Ch], ebx 0x00000018 mov dword ptr [ebp+122D30EEh], eax 0x0000001e call dword ptr [ebp+122D29B1h] 0x00000024 pushad 0x00000025 pushad 0x00000026 add edx, dword ptr [ebp+122D3674h] 0x0000002c call 00007FCCF0DBDCDAh 0x00000031 sub dword ptr [ebp+122D1D1Dh], ebx 0x00000037 pop edx 0x00000038 popad 0x00000039 xor eax, eax 0x0000003b clc 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 cld 0x00000041 mov dword ptr [ebp+122D3500h], eax 0x00000047 jmp 00007FCCF0DBDCE7h 0x0000004c mov esi, 0000003Ch 0x00000051 mov dword ptr [ebp+122D2461h], eax 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b stc 0x0000005c jnl 00007FCCF0DBDCE1h 0x00000062 lodsw 0x00000064 jmp 00007FCCF0DBDCE7h 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jnl 00007FCCF0DBDCDCh 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 or dword ptr [ebp+122D2590h], esi 0x0000007d nop 0x0000007e pushad 0x0000007f jmp 00007FCCF0DBDCDFh 0x00000084 jl 00007FCCF0DBDCDCh 0x0000008a popad 0x0000008b push eax 0x0000008c push eax 0x0000008d push edx 0x0000008e js 00007FCCF0DBDCD8h 0x00000094 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26FA81 second address: 26FA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF19063FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 270028 second address: 270031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 270031 second address: 270052 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCCF1906402h 0x00000008 jp 00007FCCF19063F6h 0x0000000e jns 00007FCCF19063F6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 270052 second address: 270056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271AF1 second address: 271B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jne 00007FCCF19063F8h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271B07 second address: 271B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCCF0DBDCD6h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jns 00007FCCF0DBDCD6h 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007FCCF0DBDCDBh 0x0000001f pop eax 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 jmp 00007FCCF0DBDCE1h 0x0000002b push edx 0x0000002c jmp 00007FCCF0DBDCE8h 0x00000031 pop edx 0x00000032 popad 0x00000033 pop eax 0x00000034 jno 00007FCCF0DBDCD9h 0x0000003a push 00000003h 0x0000003c movsx edi, ax 0x0000003f push 00000000h 0x00000041 jmp 00007FCCF0DBDCDBh 0x00000046 push 00000003h 0x00000048 sbb dl, 00000003h 0x0000004b push 48393998h 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2840F6 second address: 2840FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25CDF2 second address: 25CDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25CDF6 second address: 25CDFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291C24 second address: 291C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291C2A second address: 291C30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291D88 second address: 291D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291D8C second address: 291D97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291D97 second address: 291DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCCF0DBDCD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291DA1 second address: 291DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291DA7 second address: 291DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCCF0DBDCDAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291DB9 second address: 291DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291DBD second address: 291DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292656 second address: 29265C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29265C second address: 292692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FCCF0DBDCF0h 0x0000000c jno 00007FCCF0DBDCDAh 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292692 second address: 292696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292696 second address: 29269F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292C21 second address: 292C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292C27 second address: 292C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCCF0DBDCD6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292C38 second address: 292C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292C3C second address: 292C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292C48 second address: 292C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292C4C second address: 292C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCCF0DBDCDDh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292C65 second address: 292C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292C69 second address: 292C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 293354 second address: 293358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 293358 second address: 293364 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCCF0DBDCD6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 293364 second address: 293377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCCF19063FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2934EB second address: 2934EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 293663 second address: 293669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2937DA second address: 2937F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCF0DBDCE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 298C6D second address: 298C89 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCCF1906401h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 298C89 second address: 298C93 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCCF0DBDCD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297522 second address: 297526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297D66 second address: 297D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCCF0DBDCDBh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297D7E second address: 297D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297D82 second address: 297D9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 297D9E second address: 297DA3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 298EEB second address: 298F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF0DBDCE1h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 298F01 second address: 298F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 298F07 second address: 298F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29FDC1 second address: 29FDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCCF19063F6h 0x0000000a popad 0x0000000b push ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29FDD0 second address: 29FDDA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCCF0DBDCDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29FDDA second address: 29FDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007FCCF19063FFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29FF8F second address: 29FF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A00F8 second address: 2A0102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0102 second address: 2A0106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0106 second address: 2A010C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A03C2 second address: 2A03FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCCF0DBDCDBh 0x0000000b jmp 00007FCCF0DBDCE7h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 js 00007FCCF0DBDCD6h 0x0000001a push esi 0x0000001b pop esi 0x0000001c jo 00007FCCF0DBDCD6h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0520 second address: 2A053F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FCCF1906405h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0FF7 second address: 2A0FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1397 second address: 2A13B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCCF19063F6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FCCF1906402h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A13B8 second address: 2A13C2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCCF0DBDCDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A142C second address: 2A144E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF1906406h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FCCF19063F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1BF1 second address: 2A1BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1C80 second address: 2A1C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1C87 second address: 2A1CA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1D4F second address: 2A1D53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A25E4 second address: 2A25E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A25E8 second address: 2A25EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A25EE second address: 2A2651 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov esi, 18F552C0h 0x0000000e mov esi, 2C766A1Ch 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 mov di, bx 0x00000019 pop edi 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007FCCF0DBDCD8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 push edx 0x00000037 mov di, 125Ah 0x0000003b pop esi 0x0000003c mov si, 3B07h 0x00000040 xchg eax, ebx 0x00000041 jmp 00007FCCF0DBDCE4h 0x00000046 push eax 0x00000047 pushad 0x00000048 pushad 0x00000049 push edi 0x0000004a pop edi 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2651 second address: 2A2655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A3069 second address: 2A3073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCCF0DBDCD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2E59 second address: 2A2E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A40D3 second address: 2A415B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCCF0DBDCDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FCCF0DBDCD8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007FCCF0DBDCDEh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FCCF0DBDCD8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a call 00007FCCF0DBDCE3h 0x0000004f xor dword ptr [ebp+1246FE36h], eax 0x00000055 pop esi 0x00000056 mov edi, 3C99BC94h 0x0000005b push eax 0x0000005c js 00007FCCF0DBDCE0h 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A38F5 second address: 2A38F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A38F9 second address: 2A38FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4D06 second address: 2A4D11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FCCF19063F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A7705 second address: 2A770A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AA81D second address: 2AA824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AC842 second address: 2AC85F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCF0DBDCE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A69B2 second address: 2A69B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A7492 second address: 2A74B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF0DBDCE9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AAA16 second address: 2AAA1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AC85F second address: 2AC8AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FCCF0DBDCD8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 and ebx, 0B8513BBh 0x00000029 push 00000000h 0x0000002b sub edi, 35E11DEDh 0x00000031 mov dword ptr [ebp+12456597h], eax 0x00000037 push 00000000h 0x00000039 xor dword ptr [ebp+122D2590h], edx 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 pushad 0x00000042 jo 00007FCCF0DBDCD6h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A69B6 second address: 2A69D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF1906405h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A69D7 second address: 2A69DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A69DB second address: 2A69F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF1906402h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AF7E4 second address: 2AF7EE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCCF0DBDCD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AE94D second address: 2AE951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AF7EE second address: 2AF869 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FCCF0DBDCE0h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FCCF0DBDCD8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 jp 00007FCCF0DBDCDCh 0x0000002e mov ebx, dword ptr [ebp+122D1EC9h] 0x00000034 push 00000000h 0x00000036 call 00007FCCF0DBDCDAh 0x0000003b mov edi, 72372AF2h 0x00000040 pop edi 0x00000041 push 00000000h 0x00000043 xchg eax, esi 0x00000044 jo 00007FCCF0DBDCF6h 0x0000004a pushad 0x0000004b jmp 00007FCCF0DBDCE8h 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AE951 second address: 2AE957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ADB39 second address: 2ADB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AF869 second address: 2AF892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jnp 00007FCCF190640Fh 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AE957 second address: 2AE95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ADB3D second address: 2ADB51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF19063FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ADB51 second address: 2ADB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AEA2F second address: 2AEA34 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ADB57 second address: 2ADB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jg 00007FCCF0DBDCD8h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ADB6B second address: 2ADB6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B0BFE second address: 2B0C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B1CB6 second address: 2B1CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCCF1906402h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCCF1906402h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B2B74 second address: 2B2BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jno 00007FCCF0DBDCDCh 0x0000000b popad 0x0000000c nop 0x0000000d jmp 00007FCCF0DBDCE0h 0x00000012 push 00000000h 0x00000014 and ebx, dword ptr [ebp+122D367Ch] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FCCF0DBDCD8h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 xor ebx, dword ptr [ebp+122D3498h] 0x0000003c mov dword ptr [ebp+12456597h], eax 0x00000042 xchg eax, esi 0x00000043 jno 00007FCCF0DBDCE2h 0x00000049 push eax 0x0000004a push ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d jl 00007FCCF0DBDCD6h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AFB14 second address: 2AFB1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FCCF19063F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B49CF second address: 2B49D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B5BE2 second address: 2B5BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B5BE6 second address: 2B5C47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCCF0DBDCDDh 0x0000000b popad 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D372Ch] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FCCF0DBDCD8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f mov ebx, dword ptr [ebp+122D316Ah] 0x00000035 js 00007FCCF0DBDCDCh 0x0000003b add edi, 09A02D21h 0x00000041 push 00000000h 0x00000043 cmc 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jns 00007FCCF0DBDCDCh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B2D06 second address: 2B2D18 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCCF19063F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B2D18 second address: 2B2D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B7B87 second address: 2B7B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FCCF19063F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B7B98 second address: 2B7BAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B6DD0 second address: 2B6DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B6DD4 second address: 2B6DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B8C1F second address: 2B8C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B8C25 second address: 2B8C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B9C18 second address: 2B9C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D2F70 second address: 2D2F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D3150 second address: 2D31A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF1906409h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCCF1906405h 0x00000010 pop edx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jp 00007FCCF1906400h 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 jmp 00007FCCF19063FAh 0x00000025 pop edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D7851 second address: 2D7877 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCCF0DBDCF1h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D7D08 second address: 2D7D15 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D7E56 second address: 2D7E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D7E5A second address: 2D7E88 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCCF19063F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007FCCF19063F6h 0x00000011 jmp 00007FCCF19063FBh 0x00000016 popad 0x00000017 pop edx 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCCF19063FDh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D810D second address: 2D8119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 popad 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25E857 second address: 25E861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCCF19063F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25E861 second address: 25E867 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25E867 second address: 25E886 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF19063FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25E886 second address: 25E897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCCF0DBDCD6h 0x0000000a jl 00007FCCF0DBDCD6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DCDE2 second address: 2DCDEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCCF19063F6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DCF41 second address: 2DCF46 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DD203 second address: 2DD208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DD749 second address: 2DD74D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DD74D second address: 2DD753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DD753 second address: 2DD79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007FCCF0DBDCDAh 0x00000010 jmp 00007FCCF0DBDCE1h 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FCCF0DBDCE6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DDAA6 second address: 2DDABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF1906400h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DDABA second address: 2DDAC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DDAC2 second address: 2DDAE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF19063FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 je 00007FCCF19063F6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DDAE8 second address: 2DDAF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FCCF0DBDCD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1AE0 second address: 2E1B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007FCCF1906408h 0x0000000a pop esi 0x0000000b pushad 0x0000000c jo 00007FCCF19063F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B07 second address: 2E1B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B0D second address: 2E1B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B13 second address: 2E1B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCCF0DBDCDBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B26 second address: 2E1B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B2C second address: 2E1B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B32 second address: 2E1B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B36 second address: 2E1B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B3A second address: 2E1B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCCF19063FFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E1B51 second address: 2E1B57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E70A1 second address: 2E70B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pushad 0x00000008 jnc 00007FCCF19063F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E7219 second address: 2E721D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E765A second address: 2E765F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E7953 second address: 2E795E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E7AC6 second address: 2E7AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007FCCF1906408h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EBAF5 second address: 2EBB1B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCCF0DBDCF1h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EBB1B second address: 2EBB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCCF19063F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A8FB0 second address: 2A8FDB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FCCF0DBDCD6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d push ecx 0x0000000e mov dx, 1489h 0x00000012 pop ecx 0x00000013 nop 0x00000014 jns 00007FCCF0DBDCDCh 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jnl 00007FCCF0DBDCD8h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A90FB second address: 2A9116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF1906407h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A9116 second address: 2A9146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FCCF0DBDCE7h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 jbe 00007FCCF0DBDCD6h 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A92FF second address: 2A9303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A9303 second address: 2A9309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A96F6 second address: 2A96FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A9AB7 second address: 2A9ACD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FCCF0DBDCDCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A9ACD second address: 2A9B11 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCCF1906408h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FCCF19063FEh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 jmp 00007FCCF1906400h 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EBFB5 second address: 2EBFBB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC0E4 second address: 2EC11A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007FCCF1906406h 0x00000011 jo 00007FCCF19063F6h 0x00000017 popad 0x00000018 jmp 00007FCCF19063FDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC27F second address: 2EC294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FCCF0DBDCD6h 0x0000000f jl 00007FCCF0DBDCD6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC294 second address: 2EC29F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC29F second address: 2EC2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC2A8 second address: 2EC2AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC2AD second address: 2EC2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF0DBDCE4h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC567 second address: 2EC56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC56C second address: 2EC585 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCCF0DBDCEBh 0x00000008 jmp 00007FCCF0DBDCDFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC585 second address: 2EC594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FCCF19063F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC857 second address: 2EC85B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC85B second address: 2EC85F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC85F second address: 2EC869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EC869 second address: 2EC87F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF1906402h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F0AF8 second address: 2F0B0F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCCF0DBDCD6h 0x00000008 jnc 00007FCCF0DBDCD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F2F74 second address: 2F2F80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F2F80 second address: 2F2F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F2F84 second address: 2F2F9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCCF19063FFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F654D second address: 2F6553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268749 second address: 26878A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FCCF1906405h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 jbe 00007FCCF190640Ch 0x0000001b jmp 00007FCCF1906400h 0x00000020 jc 00007FCCF19063F6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26878A second address: 2687AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE8h 0x00000007 pushad 0x00000008 jnc 00007FCCF0DBDCD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2687AD second address: 2687B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F5DE0 second address: 2F5DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F625E second address: 2F6262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FB628 second address: 2FB635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007FCCF0DBDCDCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FB635 second address: 2FB651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push ecx 0x00000007 jmp 00007FCCF19063FEh 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FB651 second address: 2FB660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF0DBDCDBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FA856 second address: 2FA865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FCCF19063F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FA865 second address: 2FA875 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FCCF0DBDCD6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FA875 second address: 2FA88E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF19063FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FAB3C second address: 2FAB4C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCCF0DBDCD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FAB4C second address: 2FAB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FAB50 second address: 2FAB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FAB58 second address: 2FABA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCCF19063FEh 0x00000008 jmp 00007FCCF1906406h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 ja 00007FCCF1906409h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FABA2 second address: 2FABA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FAE75 second address: 2FAEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FCCF19063FCh 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FCCF1906409h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FAFD6 second address: 2FAFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FB13F second address: 2FB14B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300028 second address: 300037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FCCF0DBDCD6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300420 second address: 300424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30057D second address: 300585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300585 second address: 30058B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30058B second address: 3005A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF0DBDCE4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A954E second address: 2A9554 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A9554 second address: 2A95AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b sub dword ptr [ebp+122D24B0h], eax 0x00000011 add esi, dword ptr [ebp+122D36E8h] 0x00000017 popad 0x00000018 push 00000004h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007FCCF0DBDCD8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov edi, edx 0x00000036 push eax 0x00000037 push edi 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 300869 second address: 30086D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3009B2 second address: 3009B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3009B8 second address: 3009BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3009BE second address: 3009D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 305620 second address: 305626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 304D83 second address: 304D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 304D87 second address: 304D97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007FCCF19063FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 305332 second address: 30533D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCCF0DBDCD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D340 second address: 30D34A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCCF19063F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D34A second address: 30D35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FCCF0DBDCDEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D35E second address: 30D363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30B31E second address: 30B323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30B323 second address: 30B32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30BBEF second address: 30BBF6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30BF26 second address: 30BF5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF1906406h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FCCF19063FAh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCCF1906401h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30C24C second address: 30C266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30C526 second address: 30C52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30C52B second address: 30C531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30CD62 second address: 30CD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30CD6B second address: 30CD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30CD6F second address: 30CD73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30CD73 second address: 30CD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D033 second address: 30D050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF1906408h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30D050 second address: 30D066 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FCCF0DBDCDFh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3114BC second address: 3114C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 311662 second address: 31167B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCCF0DBDCDBh 0x0000000d jo 00007FCCF0DBDCD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 312044 second address: 31204F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCCF19063F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31700C second address: 317012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 317012 second address: 317018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 317018 second address: 31701C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31D61A second address: 31D627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FCCF19063F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31D627 second address: 31D644 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31D7CB second address: 31D7DD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCCF19063F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31D7DD second address: 31D7E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FCCF0DBDCD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DA50 second address: 31DA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DA54 second address: 31DA82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FCCF0DBDCDBh 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DA82 second address: 31DA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DA8A second address: 31DA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DF01 second address: 31DF12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCF19063FBh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31DF12 second address: 31DF26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FCCF0DBDCD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FCCF0DBDCDCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31E2FF second address: 31E303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31E303 second address: 31E33A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF0DBDCE4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCCF0DBDCDCh 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jg 00007FCCF0DBDCD6h 0x0000001b popad 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EAEB second address: 31EAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCCF19063F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EAF5 second address: 31EB0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCCF0DBDCDDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EB0C second address: 31EB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EB10 second address: 31EB28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EB28 second address: 31EB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EB2F second address: 31EB4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCF0DBDCE2h 0x00000009 jo 00007FCCF0DBDCD6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31EB4B second address: 31EB4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3242F4 second address: 324302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF0DBDCDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 328639 second address: 32863D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336B80 second address: 336B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336B88 second address: 336B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336B8E second address: 336B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336B95 second address: 336BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FCCF1906403h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 336BAE second address: 336BE2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCCF0DBDCD6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007FCCF0DBDCDAh 0x00000018 popad 0x00000019 push esi 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007FCCF0DBDCE2h 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 339DF6 second address: 339DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 339DFA second address: 339E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33980B second address: 33981E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCCF19063F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007FCCF19063F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33981E second address: 339823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33998B second address: 33999A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FCCF19063F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345D01 second address: 345D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B4B second address: 345B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B51 second address: 345B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B55 second address: 345B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B59 second address: 345B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B5F second address: 345B7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF19063FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007FCCF19063FCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B7E second address: 345B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 345B82 second address: 345B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCCF1906404h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34BE39 second address: 34BE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007FCCF0DBDCE1h 0x0000000b jmp 00007FCCF0DBDCDAh 0x00000010 pop edi 0x00000011 jmp 00007FCCF0DBDCE4h 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356CCB second address: 356CD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FCCF19063F8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356CD9 second address: 356CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCCF0DBDCE2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356CEF second address: 356CF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356CF9 second address: 356CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356CFD second address: 356D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356F8E second address: 356F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356F96 second address: 356F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356F9C second address: 356FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCCF0DBDCD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 356FA8 second address: 356FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCCF1906404h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3573D0 second address: 3573F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007FCCF0DBDCD6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FCCF0DBDCE3h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35D3C5 second address: 35D3C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35D3C9 second address: 35D3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37274F second address: 37276F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF1906409h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37276F second address: 37277B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37277B second address: 37277F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 374FE9 second address: 374FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 374FF1 second address: 374FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCCF19063F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 374FFD second address: 375004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 375004 second address: 375034 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jg 00007FCCF19063F6h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jmp 00007FCCF1906403h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jl 00007FCCF1906404h 0x0000001d pushad 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 374E61 second address: 374E6D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCCF0DBDCD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377121 second address: 377168 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCCF19063F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FCCF1906404h 0x00000015 jng 00007FCCF1906414h 0x0000001b jmp 00007FCCF19063FAh 0x00000020 jmp 00007FCCF1906404h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 377168 second address: 37716D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37716D second address: 377175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 376CFE second address: 376D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FCCF0DBDCE1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 376E85 second address: 376E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FCCF19063F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37A4A6 second address: 37A4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37A4AA second address: 37A4B3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37FC50 second address: 37FC56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38005D second address: 380067 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCCF19063FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 380067 second address: 3800AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF0DBDCE6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FCCF0DBDCDCh 0x00000011 jmp 00007FCCF0DBDCE9h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38037F second address: 380384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 381E65 second address: 381E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 381E6B second address: 381E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 381E70 second address: 381E7A instructions: 0x00000000 rdtsc 0x00000002 je 00007FCCF0DBDCDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38562D second address: 385631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 385631 second address: 385648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF0DBDCE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 385648 second address: 385667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCCF1906409h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38A7FE second address: 38A803 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38DE90 second address: 38DE9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FCCF19063F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38FAEE second address: 38FAF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38FAF4 second address: 38FAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCCF19063F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38FAFE second address: 38FB21 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCCF0DBDCD6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007FCCF0DBDCEAh 0x00000014 jne 00007FCCF0DBDCDCh 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 386730 second address: 386735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 385170 second address: 38517C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCCF0DBDCDEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 385311 second address: 38533F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FCCF1906404h 0x0000000b jp 00007FCCF19063FEh 0x00000011 push edi 0x00000012 pop edi 0x00000013 jng 00007FCCF19063F6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d push edx 0x0000001e pop edx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38533F second address: 38534B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCCF0DBDCD6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38534B second address: 38535E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCCF19063FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38535E second address: 38536C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jno 00007FCCF0DBDCD6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3854DD second address: 3854E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A3BBC second address: 2A3BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A3BC7 second address: 2A3BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FD7EA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FD8F7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FD811 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 2A899F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 32E8EA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 10207F instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 51D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4FF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00271E35 rdtsc

0_2_00271E35

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7724

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002CE743 GetSystemInfo,VirtualAlloc,

0_2_002CE743

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00273DE0 Start: 00273DF3 End: 00273DED

0_2_00273DE0

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00271E35 rdtsc

0_2_00271E35

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000FB7DA LdrInitializeThunk,

0_2_000FB7DA

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Qx>Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	55%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559921
Start date and time:	2024-11-21 06:23:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.514190128774051
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'772'480 bytes
MD5:	b6232971846816075fb9476cb82148fb
SHA1:	32fdc8249eb381bdc6733092b6be00d3bdab5d2e
SHA256:	1a1fa8992c84f43a7d642d63ccbc350eccf35263a9aa097709ad75fa13bc69d7
SHA512:	7f861f5086dddbd0939f303a78b1ad00464d666171448e7d386318b988a09434ace95288dbe0f4dc51cca39dacbed97b405b111e149ca31d3ca1ff4f3cab781a
SSDEEP:	49152:h0Sk1NiPWUBwqbUUBgxIRripJuQRkjEGC:q1NWWUvbUIgxIRr8JuQRPGC
TLSH:	05D53B92A407B1CFD89E1B74A527CD826E6D43B94B2409C3EC5DA5BA7D63CC112F6C38
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$.............. ...`....@.. ........................+..........`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6ac000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FCCF086024Ah
cvttps2pi mm5, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	38146e81d35e7a7a08d7cdbad94583ee	False	0.9325086805555556	data	7.792497844647016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
jbjemqme	0xa000	0x2a0000	0x29ec00	f8ae78c30af2bf7e14643b4091981f6c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ploemuvx	0x2aa000	0x2000	0x600	1aff643d92fa7ab66d5f98ce1d796cbf	False	0.5904947916666666	data	5.0713391687192155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2ac000	0x4000	0x2200	12efe35b337c8f7f49ea3bff0dbd9b24	False	0.006433823529411764	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	00:24:02
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf0000
File size:	2'772'480 bytes
MD5 hash:	B6232971846816075FB9476CB82148FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	3%
Signature Coverage:	5.6%
Total number of Nodes:	303
Total number of Limit Nodes:	18

Executed Functions

Function 002CE743 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-121D5FEC), ref: 002CE74F
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 002CE7B0

Memory Dump Source

Source File: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: e1c20014a43da9f19e340b8a463c238de31d6b6afbe1cbb222ad29cb95c5a2d7
Instruction ID: 6432b5eae379d0b526cc2b350adf8b5db6000b11c4b65d80f2293296d1bfb653
Opcode Fuzzy Hash: e1c20014a43da9f19e340b8a463c238de31d6b6afbe1cbb222ad29cb95c5a2d7
Instruction Fuzzy Hash: 79411FB1D14207AAD735CF60C946FAAB7ACFF08741F110566B607DA482E7B095E49BE0

Function 00271E35 Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,D8E95884,00000003,00000000,00000003,00271E31,00000000), ref: 00271F2C

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7c323d4c8be39c5ed6ab44f206caf76ed14dbf9b238d855589831cf1d5e9890c
Instruction ID: 983f1ec8f38905f16c09d7f6ac2fbe4d470a00292e8e2f4bb8d3249b2e894738
Opcode Fuzzy Hash: 7c323d4c8be39c5ed6ab44f206caf76ed14dbf9b238d855589831cf1d5e9890c
Instruction Fuzzy Hash: 7411D2B76682157EF7018A299E41ABBB66CEF85730F30C026F809E7482C2F10D399624

Function 000FB7DA Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

!!iH, xrefs: 000FB94A

Memory Dump Source

Source File: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID:
String ID: !!iH
API String ID: 0-3430752988
Opcode ID: ec361a3c7ea55a2e0183ded48a7f7f75f9a43d2f4b9ddaf07c8cdcd96a207308
Instruction ID: 46eec6fd05855692609ca7869acfe90ed2ab149c050cf2bffba4b79b3dd66316
Opcode Fuzzy Hash: ec361a3c7ea55a2e0183ded48a7f7f75f9a43d2f4b9ddaf07c8cdcd96a207308
Instruction Fuzzy Hash: 25E08C3110848DCADF26DF60C9027F9364EDB80700F504615BB418AE4BCF6D0D12EB95

Function 002C4F2F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 002C5040
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 002C5054

Strings

.exe, xrefs: 002C4F9B
1002, xrefs: 002C500A
.dll, xrefs: 002C4F77

Memory Dump Source

Source File: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: 5a0f94a27225cecdbcfb7c019dce45bfc42c419764bf9e87fff8f67285a1a4bc
Instruction ID: 9b2e90d427ecfac3c70b9677d3fb638ebd391ab7e5d95c488f040ebe8f3dc624
Opcode Fuzzy Hash: 5a0f94a27225cecdbcfb7c019dce45bfc42c419764bf9e87fff8f67285a1a4bc
Instruction Fuzzy Hash: EC31843242012AEFDF20AF50C814FAE7B75FF08310F10866EF80696561C770AAB0DBA1

Function 002C5435 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,002C53C7,?,00000000,00000000), ref: 002C54F2
GetModuleHandleA.KERNEL32(00000000,?,?,?,002C53C7,?,00000000,00000000), ref: 002C5500

Strings

.dll, xrefs: 002C5468

Memory Dump Source

Source File: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: 1397952cef5cd47be5437edab94e0fba82ca12b8865b8c868babcae18dc777e1
Instruction ID: a999df1b3b0b5e568ac7c2fc10c38fab11d5469e58362c93e395381ab7c1d97a
Opcode Fuzzy Hash: 1397952cef5cd47be5437edab94e0fba82ca12b8865b8c868babcae18dc777e1
Instruction Fuzzy Hash: 4A113030220A5BEAEF389F14C809FAA7A71BF0438AF40831DE415444A1D7F5E9F4DA91

Function 002C3E0F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 002C3E71

Strings

\\?\, xrefs: 002C3ECC

Memory Dump Source

Source File: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: 31949444ae2f6219167ce34caee6ec2e53de963abdc698dd47a7cce75c39f6ef
Instruction ID: 47c1a70c2d2aee8b36da10a4fc965e00e64ad0f22870a16a37e1ff63cc4e5c29
Opcode Fuzzy Hash: 31949444ae2f6219167ce34caee6ec2e53de963abdc698dd47a7cce75c39f6ef
Instruction Fuzzy Hash: 0B314571A1120AFEEF21DF98C809FCEBA75BF08304F009A59FA00A54A0D7769A71DB54

Function 002C551E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002C385C: GetCurrentThreadId.KERNEL32 ref: 002C386B

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 002C5582

Strings

.dll, xrefs: 002C553F

Memory Dump Source

Source File: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CurrentHandleModuleThread
String ID: .dll
API String ID: 2752942033-2738580789
Opcode ID: dcfab8c2557723d2b651976dc55682be9a17073e117ae9a74f768d25d27fb232
Instruction ID: e64c6a20575c0ff17af05e6571afed565aad6a5d2ff54a897f11905f81a4d725
Opcode Fuzzy Hash: dcfab8c2557723d2b651976dc55682be9a17073e117ae9a74f768d25d27fb232
Instruction Fuzzy Hash: 87F01D72120609EFDF10DF64C945FAD3FB6BF08394F908619F90589152D771E9B09A51

Function 00271F17 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,D8E95884,00000003,00000000,00000003,00271E31,00000000), ref: 00271F2C

Strings

m, xrefs: 00271F17

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID: m
API String ID: 823142352-3775001192
Opcode ID: 0098b7fa50ddb7a21a6a0fd69ba875276adb996b4b53becffe6f4c13db64863a
Instruction ID: 2e7ba5af48828a891b7ae9df9ae3d187f2e26c94b53566e20f7c1900b3ac13ac
Opcode Fuzzy Hash: 0098b7fa50ddb7a21a6a0fd69ba875276adb996b4b53becffe6f4c13db64863a
Instruction Fuzzy Hash: 0AF09735A5436A2EDB00AF38CC8039EBB20EF04310F5C8049D804E7E82C275AC30CB49

Function 002CEAE6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,,,002CEAE2,?,?,?,?,?,,,?,?,002CE7E8), ref: 002CEB06

Strings

,, xrefs: 002CEAE6

Memory Dump Source

Source File: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: ,
API String ID: 4275171209-1222783184
Opcode ID: 0acd1ce5ec3562cf4ff517e5f011cb9daac21f4bbc4d1ee91f795d2a81623080
Instruction ID: 03ea01c36980c578c7e0869fdeabb77be6546b8acb2940686b69e6e7619bbad0
Opcode Fuzzy Hash: 0acd1ce5ec3562cf4ff517e5f011cb9daac21f4bbc4d1ee91f795d2a81623080
Instruction Fuzzy Hash: BBF08CB1904206EFDB258F04CE05F69BFA4FF49766F128068F54B9B291D3B198D0AF91

Function 002CF16F Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3259270ac7e613a2ff795961021089bcde03c973af59650afac39ced79e53bd8
Instruction ID: bab5cdba830307504f39ee95f771576c8afb2de5699a9e2a895efb5b49732523
Opcode Fuzzy Hash: 3259270ac7e613a2ff795961021089bcde03c973af59650afac39ced79e53bd8
Instruction Fuzzy Hash: E741A176920206EFDB74DF54CA44FAE7BB2FF04314F244269ED02AA151D3B1ADA0DB52

Function 0026F8F1 Relevance: 1.6, APIs: 1, Instructions: 92
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0026F8F1

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 71b395e2be09135b1f49d251701ba910630f6f144e42278690b440f486dc0e8b
Instruction ID: 0495c2c6d0eb506b478cf1bc169258c5b6ef37cfc339c0821e0f23a0d1212eaa
Opcode Fuzzy Hash: 71b395e2be09135b1f49d251701ba910630f6f144e42278690b440f486dc0e8b
Instruction Fuzzy Hash: 6831E0B251C600AFE706AF19D88167AFBF9FF98310F124C2DE2C582610D73188908B9B

Function 002C57B2 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002C393A: RtlAllocateHeap.NTDLL(00000000,00000000,002C35E3,?,?,002C35E3,00000008), ref: 002C3954

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 002C5834

Memory Dump Source

Source File: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: AllocateCreateFileHeap
String ID:
API String ID: 3125202945-0
Opcode ID: 31cea50cfcc3392280e3510dcf75e8e027f402dacdf5c0ca4c976bac7aae0ea7
Instruction ID: 2332f2e974b939988d5502601ffe8a22f20863aec50cd1c11f292d3ead702025
Opcode Fuzzy Hash: 31cea50cfcc3392280e3510dcf75e8e027f402dacdf5c0ca4c976bac7aae0ea7
Instruction Fuzzy Hash: 13318271950605BAEB209F64DC45F99BBB8AB04728F208369F610AA1D1C3B5F5E28B54

Function 00271E45 Relevance: 1.6, APIs: 1, Instructions: 85
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,D8E95884,00000003,00000000,00000003,00271E31,00000000), ref: 00271F2C

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4a5031f43d7b22a72727b8e74c170bdae96325b6632502633b88e4b3a5e70cf4
Instruction ID: db5da27059b55cf7e071f407d66a3317718cfe17142b57f896f787baa23dc4f4
Opcode Fuzzy Hash: 4a5031f43d7b22a72727b8e74c170bdae96325b6632502633b88e4b3a5e70cf4
Instruction Fuzzy Hash: 6211C6B75682416EF7118E299E01BBA7768DF82734F308025F909D7582D2F14D399A64

Function 00271E29 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c2dc7c17e8e9390b97a3f1eba5292e529dd2f274c00e2e233c2911e5ff39b12e
Instruction ID: 71184f0dd92d74b7c52ed6a0fe35def65eeb51293aa4a8d078acc463854b59b1
Opcode Fuzzy Hash: c2dc7c17e8e9390b97a3f1eba5292e529dd2f274c00e2e233c2911e5ff39b12e
Instruction Fuzzy Hash: FC1105B752C2416EF3028A199D01BBBBB68DF82330F31C066F809D7482D2F10D399665

Function 00271E6F Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,D8E95884,00000003,00000000,00000003,00271E31,00000000), ref: 00271F2C

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 98c620be7877a6855d9e03a5026bf7e4cbbccb88cd47077687639c3ddf4999fe
Instruction ID: b1c879b8324a60459ab4403e7112c358284099a417ccdee833454619b3ba5d4b
Opcode Fuzzy Hash: 98c620be7877a6855d9e03a5026bf7e4cbbccb88cd47077687639c3ddf4999fe
Instruction Fuzzy Hash: 430104B76682417EE701CE189E05ABF7668EF82730F308026F809DB582D2F10D399664

Function 002CEEBC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 002CEF69

Memory Dump Source

Source File: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 096a355674c187886897c7e75656f6234e6b6409770dd1bda0ab94d43179b88a
Instruction ID: 4d79fad64ec747adac6d783024031d92bc76ad09594eb67353619fc1471a2809
Opcode Fuzzy Hash: 096a355674c187886897c7e75656f6234e6b6409770dd1bda0ab94d43179b88a
Instruction Fuzzy Hash: C1119671A2122A9FFF204E048C48FAABB6CAF54751F1242ADF945A6481D7789D90CAA1

Function 04E20D41 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E20DCD

Memory Dump Source

Source File: 00000000.00000002.1564600417.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e20000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: eefe25c8160013e10a942afade6a277ca1dee304bb3637e60ef064f90d7ae2ff
Instruction ID: 28f0e0dffa92c9465d659ccc06d4963c05343e17e99f463bb9e7c236b2427df1
Opcode Fuzzy Hash: eefe25c8160013e10a942afade6a277ca1dee304bb3637e60ef064f90d7ae2ff
Instruction Fuzzy Hash: 742104B69012198FDB54CF99D984ADEBBB1FB88320F14862AD908AB244C774A545CBA4

Function 04E20D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E20DCD

Memory Dump Source

Source File: 00000000.00000002.1564600417.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e20000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 944e25f775c7f60dace7fc0dec5b771ee6a1ae9cfa6e13c8e6c4e0dd2fe0e27c
Instruction ID: 5aabcbf1f2a6b9f09da1cfc8b795915666740727607b706e622aa69b3fd3a93f
Opcode Fuzzy Hash: 944e25f775c7f60dace7fc0dec5b771ee6a1ae9cfa6e13c8e6c4e0dd2fe0e27c
Instruction Fuzzy Hash: 3B2135B6C012199FCB10CF9AD984BDEFBF4FB88710F14811AD908AB244C774A540CBA4

Function 00271E86 Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,D8E95884,00000003,00000000,00000003,00271E31,00000000), ref: 00271F2C

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3c93d189c7ed6324a49ab0656c0dd655cb9529217878e378bda97de3ea2eab36
Instruction ID: a38ad9413b9674ed06d442abacb4826f64bf011c0cf3a9ba3cb2eba7de275923
Opcode Fuzzy Hash: 3c93d189c7ed6324a49ab0656c0dd655cb9529217878e378bda97de3ea2eab36
Instruction Fuzzy Hash: C101D8B75692456FE710CE289D51BBF766CDF80724F318029F814DB581C2F10D39CA65

Function 04E21510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04E21580

Memory Dump Source

Source File: 00000000.00000002.1564600417.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e20000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 1949a9fccec04648aa4d24029883d4d801484241aa3c878cf36af88667890fe5
Instruction ID: c13435d8b91fa925f6e5ff845ae15c4c4a6ec094ecf960ec4560be7344863512
Opcode Fuzzy Hash: 1949a9fccec04648aa4d24029883d4d801484241aa3c878cf36af88667890fe5
Instruction Fuzzy Hash: 0C11D3B1D003499FDB10CF9AD984BDEFBF4EB48320F10802AE559A3250D778AA44CFA5

Function 04E21509 Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04E21580

Memory Dump Source

Source File: 00000000.00000002.1564600417.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e20000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 968e2658b03821b38c06c891b31a1721d185fc4136ed2ad5b1eab2fbd950d1ed
Instruction ID: dfa766d1e9ab02d8f78a45b9e358153620a93f8c5854ffa47b3abf46bb1ea67d
Opcode Fuzzy Hash: 968e2658b03821b38c06c891b31a1721d185fc4136ed2ad5b1eab2fbd950d1ed
Instruction Fuzzy Hash: 7611FFB5D0024A8FDB10CF9AD584B9EFBF4AB48320F10802AE519A3250C778AA44CFA5

Function 00271ED1 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,D8E95884,00000003,00000000,00000003,00271E31,00000000), ref: 00271F2C

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ae202fc794aff39946fb85b82ae0be80561cf8db7d97dbb8dead2f5bd6cc9468
Instruction ID: 7ab9be13c7faf536cb50e13091d6c5baaa201162bcaa9cb7b63adeb9669e88ff
Opcode Fuzzy Hash: ae202fc794aff39946fb85b82ae0be80561cf8db7d97dbb8dead2f5bd6cc9468
Instruction Fuzzy Hash: C7016876968246AFE710CF288840BAF7766DF48310F25802EE9198B881C2F04C35C798

Function 04E21301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04E21367

Memory Dump Source

Source File: 00000000.00000002.1564600417.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e20000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 27a1aac00bcca64ceb36c218d3ceedaa9686c9f479c8d8bc8366ea6060b8bddc
Instruction ID: 946aade832224a7abdcbf83bfaa3e4a82c2d20ce438584b8c65ba1a3cad82e01
Opcode Fuzzy Hash: 27a1aac00bcca64ceb36c218d3ceedaa9686c9f479c8d8bc8366ea6060b8bddc
Instruction Fuzzy Hash: 661102B18003498FDB10DFAAD985BEEBBF4EB48320F24842AD558A3650D778A545CBA5

Function 04E21308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04E21367

Memory Dump Source

Source File: 00000000.00000002.1564600417.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e20000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: e64d303da8929d294a5af4285af967ad66ce357e8d3c0b8937dea0529891577c
Instruction ID: bc6c2273baba2a98d11ecb45b53a2fd2675323276595fda7a12f98f87df4ff8d
Opcode Fuzzy Hash: e64d303da8929d294a5af4285af967ad66ce357e8d3c0b8937dea0529891577c
Instruction Fuzzy Hash: A91136B1800349CFDB10CF9AC945BEEFBF4EB48320F20841AD558A3640C778A544CFA5

Function 0027BE84 Relevance: 1.5, APIs: 1, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0027D7B1

Memory Dump Source

Source File: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e36f8f3477b62e76d966d540b6c71672f18b1df18b9506f614b240355ce5a852
Instruction ID: 21d2f9dee593bd320961fea04d5bf8a390e3286a763f316d98d5c0a4d25d391c
Opcode Fuzzy Hash: e36f8f3477b62e76d966d540b6c71672f18b1df18b9506f614b240355ce5a852
Instruction Fuzzy Hash: 2FF0147211C600CBD7097F68D89507EBBE0EF48711F125C1DD6C6832A4DA3514A0CA43

Function 00271D89 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,000000C1), ref: 00271DBF

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f5dbc7ecc5d26f058d9e80e1064f160423d6b036bde67672892d560d94e5ded
Instruction ID: 47b4412c556e0bc6ce5b1dc3e4a141997704505de81023232407a41d66d4f4a4
Opcode Fuzzy Hash: 5f5dbc7ecc5d26f058d9e80e1064f160423d6b036bde67672892d560d94e5ded
Instruction Fuzzy Hash: 1FE0E5B1C783616EE7B0AF3C0C80B7939989F11365F10866AE459C65C1D2B00C308F19

Function 00271F03 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,D8E95884,00000003,00000000,00000003,00271E31,00000000), ref: 00271F2C

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a7853494030ac9a6526e1351fd86598e59efa1d74d015d79067cbe974b883a4b
Instruction ID: 313df2a955865359fe09b0e111a25dd64e4a92d28c6bf5aace87dd7b45419ad3
Opcode Fuzzy Hash: a7853494030ac9a6526e1351fd86598e59efa1d74d015d79067cbe974b883a4b
Instruction Fuzzy Hash: 39E0C276AA82762ECB018E7C9C41A6E3398DF88300F64C029E819E7994D271EC2B4619

Function 002C393A Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,002C35E3,?,?,002C35E3,00000008), ref: 002C3954

Memory Dump Source

Source File: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c02c35135862cb9c5074f85ca712dd232e5ecccd51728bac8ca538e502e882b0
Instruction ID: 60c2295411c6754756c76e88dda63587c0afd203907e328df4b6c623d7f24b3b
Opcode Fuzzy Hash: c02c35135862cb9c5074f85ca712dd232e5ecccd51728bac8ca538e502e882b0
Instruction Fuzzy Hash: 5BD0C977201606B7DE205E6EDC09F9ABA6CAB8AB94F004625B60194080DB65E1A1C5A4

Function 002C3A2D Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 002C3A91

Memory Dump Source

Source File: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 2f0bc2708865bcf9330ce92d0045f8857b3bd5671d72bb61b45baf8e14230068
Instruction ID: d72a750c5340795699379e35f431922d8a34571ef36416fa908db554c5bfc455
Opcode Fuzzy Hash: 2f0bc2708865bcf9330ce92d0045f8857b3bd5671d72bb61b45baf8e14230068
Instruction Fuzzy Hash: 7A01C032A1010ABEDF21EFA8CC04E9EBBB6EF48740F008669F401A4060D7328A71DE60

Function 000FE396 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 000FE710

Memory Dump Source

Source File: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 777b4bd00ec4490d298f7677203d7f2870c2ed974750dfa9a88424b2edadbab6
Instruction ID: 709976a34f6d5739c4aea9267e3dec1d97c549f1f7414d713c389df6267a66ba
Opcode Fuzzy Hash: 777b4bd00ec4490d298f7677203d7f2870c2ed974750dfa9a88424b2edadbab6
Instruction Fuzzy Hash: ABD067B440C649CBD7146F6480452BDBBA0EB14302F11055CDAC246A50E2321860DA47

Function 000FEE49 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 000FEE4F

Memory Dump Source

Source File: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 91496cceac90b5597e28bb4b82aa9aea4f853a0111c9343bdac7299d702b1aa2
Instruction ID: a9a735c33e996e13019ac968d83eab82f458886e79366a38e4481c57f7a1dc4d
Opcode Fuzzy Hash: 91496cceac90b5597e28bb4b82aa9aea4f853a0111c9343bdac7299d702b1aa2
Instruction Fuzzy Hash: 56D0C97080424E8BCB181F74800C2AD3A60FF05322F200205FC21C2AC0C6310C50DA1A

Function 002C5675 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,002C36FB,?,?), ref: 002C567B

Memory Dump Source

Source File: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5a9b30a076f8f44484ca61db8c6e1d6f9cbf22647893a4980216e68756d54c51
Instruction ID: 0b176080322ff9995b4112d527bcb270a96c0e5b1f29e596b14311031f853680
Opcode Fuzzy Hash: 5a9b30a076f8f44484ca61db8c6e1d6f9cbf22647893a4980216e68756d54c51
Instruction Fuzzy Hash: F4B04831000608BBCB01AF55D806849BF69AFA5298B50C224B905844218B76EAA19AD5

Non-executed Functions

Function 000FD994 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

NTDL, xrefs: 000FDB75

Memory Dump Source

Source File: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID:
String ID: NTDL
API String ID: 0-3662016964
Opcode ID: 141a006a37b17783932c8410ddd6d0aa1e8a30b080feed4379427b0ce380aa98
Instruction ID: 848948d590e1febe8a5a1b8fbab143501ad918ee2725b42bc05c0e6395383fff
Opcode Fuzzy Hash: 141a006a37b17783932c8410ddd6d0aa1e8a30b080feed4379427b0ce380aa98
Instruction Fuzzy Hash: 7871C0B290821E8FDB55CF64C4511FF7BE2FB46321F24422BDA4187E02D2B24D11EB9A

Function 0026F520 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcc5b76cc59f171d8b5db5117abf16fe22683a24072b30b589e6a6d2868fef5
Instruction ID: 36d860a48c23e73ef178378b9bb7ca59cf79d28562ca72381677990efb0cac56
Opcode Fuzzy Hash: 2bcc5b76cc59f171d8b5db5117abf16fe22683a24072b30b589e6a6d2868fef5
Instruction Fuzzy Hash: 35C10F7241D7C19FCB029F34DD652A9FFB0BF66210F188AAEC4C18B556E364549ACB42

Function 00273DE0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1562681392.000000000026C000.00000040.00000001.01000000.00000003.sdmp, Offset: 000F0000, based on PE: true

Associated: 00000000.00000002.1562449481.00000000000F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562469049.00000000000F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562483960.00000000000F6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562499804.00000000000FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562515952.0000000000104000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562530149.0000000000105000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562544336.0000000000106000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562647148.0000000000259000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562663956.000000000025C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562681392.0000000000279000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562712344.0000000000282000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562726619.0000000000284000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562741892.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562760804.0000000000294000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562781546.00000000002A9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562803602.00000000002BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562820149.00000000002C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562835604.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562852023.00000000002D9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562867138.00000000002E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562881669.00000000002E9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562898683.00000000002EE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562913485.00000000002F5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562927710.00000000002F7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562943555.00000000002FF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562957896.0000000000302000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562976705.0000000000309000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1562992523.000000000030E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563007495.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563024361.0000000000317000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563039358.0000000000318000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563057627.0000000000321000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563098222.0000000000381000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563115135.0000000000382000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.0000000000383000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563130926.000000000038A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1563166730.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9743ab00ebdbcbeb3e52963f8387a1bea7c3fdd4f8fceee64be1277cea0b70d
Instruction ID: 7ca8cdaf3c82a1a3eac3b87f2775f793a759de26af063498b8433dd9b2e681b5
Opcode Fuzzy Hash: b9743ab00ebdbcbeb3e52963f8387a1bea7c3fdd4f8fceee64be1277cea0b70d
Instruction Fuzzy Hash: 773118F211C700AFE305AF09D881ABAFBE9FF95320F56482DE6C583610D37549948B67

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7528, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7528, Parent PID: 4084COMMON

Execution Graph

Graph

Executed Functions

Function 002CE743 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON

Windows Analysis Report
file.exe

Function 002CE743 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 00271E35 Relevance: 1.6, APIs: 1, Instructions: 86
fileCOMMON

Function 002C4F2F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 002C5435 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 002C3E0F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 002C551E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 00271F17 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
fileCOMMON

Function 002CEAE6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 37
memoryCOMMON

Function 002CF16F Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Function 0026F8F1 Relevance: 1.6, APIs: 1, Instructions: 92
libraryCOMMON

Function 002C57B2 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 00271E45 Relevance: 1.6, APIs: 1, Instructions: 85
fileCOMMON

Function 00271E29 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Function 00271E6F Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON