Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1560142
MD5:	21f1d579996c0e223529d781d9390c05
SHA1:	db238f2cc489e22158603b17a49e6fd43b314d74
SHA256:	64a5b57d555ef999a209a254c0324edd6f03832ee9f688444e101f526662c5b3
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SIDT)

Contains long sleeps (>= 3 min)

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7812 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 21F1D579996C0E223529D781D9390C05)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F87A3 CryptVerifySignatureA,

0_2_005F87A3

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1387296911.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005F3798 appears 35 times

Source: file.exe, 00000000.00000000.1365810028.0000000000426000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@1/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeR

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2754048 > 1048576

Source: file.exe

Static PE information: Raw size of ybikrwjp is bigger than: 0x100000 < 0x29a600

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.420000.0.unpack :EW;.rsrc:W;.idata :W;ybikrwjp:EW;qvqhdqdc:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2af6c7 should be: 0x2ae4f4

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: ybikrwjp
Source: file.exe	Static PE information: section name: qvqhdqdc
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00430220 push edi; mov dword ptr [esp], ebx	0_2_00430C6B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00430220 push 0DD450D8h; mov dword ptr [esp], edi	0_2_00430C9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042E4FE push eax; mov dword ptr [esp], 298178C6h	0_2_0042F2C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B804A push 43847944h; mov dword ptr [esp], edx	0_2_005B804F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B804A push 27247599h; mov dword ptr [esp], edi	0_2_005B8057
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A2047 push ebx; mov dword ptr [esp], ebp	0_2_005A206F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A2047 push eax; mov dword ptr [esp], 6ECFE75Eh	0_2_005A20CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A2047 push 7D367841h; mov dword ptr [esp], ebp	0_2_005A2142
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00638059 push ecx; mov dword ptr [esp], ebx	0_2_00638092
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431006 push 5436E24Ah; mov dword ptr [esp], eax	0_2_0043101B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431006 push ecx; mov dword ptr [esp], eax	0_2_0043326F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C00B push ebx; mov dword ptr [esp], eax	0_2_0042C015
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005AD0E9 push eax; mov dword ptr [esp], ebx	0_2_005AD0EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004310F5 push 0836D071h; mov dword ptr [esp], ebx	0_2_004310FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B30D6 push 092401B7h; mov dword ptr [esp], esi	0_2_006B3118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B30D6 push eax; mov dword ptr [esp], ebp	0_2_006B3197
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B30D6 push eax; mov dword ptr [esp], esp	0_2_006B319B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F08A push 316B617Eh; mov dword ptr [esp], eax	0_2_0042F0AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005AF08C push esi; mov dword ptr [esp], eax	0_2_005AF08D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004330B2 push ebx; mov dword ptr [esp], ecx	0_2_004330C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005AF0A4 push ebp; mov dword ptr [esp], edx	0_2_005AF0A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005AF0A4 push edi; mov dword ptr [esp], eax	0_2_005AF0AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043114A push ecx; mov dword ptr [esp], edx	0_2_00431F92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042C14D push 57116CCBh; mov dword ptr [esp], esi	0_2_0042C6F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D155 push eax; mov dword ptr [esp], edi	0_2_0042D165
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B8119 push esi; mov dword ptr [esp], ebx	0_2_005B82B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B0118 push edx; mov dword ptr [esp], ebp	0_2_005B0127
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B0118 push ecx; mov dword ptr [esp], ebx	0_2_005B013F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431105 push 3537E9C3h; mov dword ptr [esp], ecx	0_2_00433A9F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D132 push 63516AAFh; mov dword ptr [esp], edi	0_2_0042D137
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B612B push 52D01FEAh; mov dword ptr [esp], ebp	0_2_005B6132

Source: file.exe

Static PE information: section name: entropy: 7.765265667159949

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42E27C second address: 42E280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 42E280 second address: 42E286 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1C67 second address: 5A1C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F3BD4C9CF8Bh 0x0000000d pop esi 0x0000000e jo 00007F3BD4C9CF8Eh 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1C85 second address: 5A1CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3BD4DEAE59h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1E03 second address: 5A1E70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF97h 0x00000007 jmp 00007F3BD4C9CF92h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jo 00007F3BD4C9CF86h 0x00000015 jmp 00007F3BD4C9CF99h 0x0000001a jmp 00007F3BD4C9CF93h 0x0000001f jmp 00007F3BD4C9CF8Ch 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1E70 second address: 5A1E93 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F3BD4DEAE55h 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1E93 second address: 5A1E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1E97 second address: 5A1EC9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3BD4DEAE46h 0x00000008 jmp 00007F3BD4DEAE53h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F3BD4DEAE4Fh 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1EC9 second address: 5A1ED9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3BD4C9CF8Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1ED9 second address: 5A1EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1EDF second address: 5A1EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A21CB second address: 5A21DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F3BD4DEAE46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A21DA second address: 5A21E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A21E0 second address: 5A21E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A21E8 second address: 5A220E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F3BD4C9CF8Bh 0x00000010 jmp 00007F3BD4C9CF8Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A220E second address: 5A2214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2214 second address: 5A2219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2219 second address: 5A2222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A23A4 second address: 5A23A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A23A8 second address: 5A23B0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A23B0 second address: 5A23BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BD4C9CF8Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A23BF second address: 5A23C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A23C3 second address: 5A23FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3BD4C9CF91h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F3BD4C9CF8Eh 0x00000017 jbe 00007F3BD4C9CF8Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A254D second address: 5A2560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4DEAE4Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2560 second address: 5A2564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A51DD second address: 5A51EB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F3BD4DEAE46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A51EB second address: 5A526A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 3E5EEE91h 0x00000011 mov edx, dword ptr [ebp+122D2DCDh] 0x00000017 mov dword ptr [ebp+122D22D3h], ebx 0x0000001d push 00000003h 0x0000001f mov edx, dword ptr [ebp+122D2A81h] 0x00000025 push 00000000h 0x00000027 mov ecx, dword ptr [ebp+122D2AADh] 0x0000002d push ebx 0x0000002e mov ecx, 2CDA6C51h 0x00000033 pop esi 0x00000034 push 00000003h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F3BD4C9CF88h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 mov esi, dword ptr [ebp+122D1CC8h] 0x00000056 push 79CE04ACh 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e je 00007F3BD4C9CF86h 0x00000064 jc 00007F3BD4C9CF86h 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A526A second address: 5A529A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3BD4DEAE4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 4631FB54h 0x00000011 lea ebx, dword ptr [ebp+1244B068h] 0x00000017 mov cx, dx 0x0000001a xchg eax, ebx 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3BD4DEAE4Ch 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A529A second address: 5A52B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3BD4C9CF92h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5321 second address: 5A5325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5325 second address: 5A533E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F3BD4C9CF8Ch 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A533E second address: 5A538F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add edi, dword ptr [ebp+122D2AE1h] 0x00000010 push 00000000h 0x00000012 mov ecx, dword ptr [ebp+122D37EDh] 0x00000018 push FC4B96A1h 0x0000001d pushad 0x0000001e jnl 00007F3BD4DEAE57h 0x00000024 push eax 0x00000025 push edx 0x00000026 jg 00007F3BD4DEAE46h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A538F second address: 5A5393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5393 second address: 5A53D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 03B469DFh 0x0000000e mov esi, 2EA292CCh 0x00000013 push 00000003h 0x00000015 push esi 0x00000016 mov dword ptr [ebp+122D1E19h], edi 0x0000001c pop esi 0x0000001d push 00000000h 0x0000001f movsx ecx, si 0x00000022 push 00000003h 0x00000024 push eax 0x00000025 cmc 0x00000026 pop ecx 0x00000027 push A369A11Dh 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F3BD4DEAE57h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A53D9 second address: 5A5411 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F3BD4C9CF86h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 popad 0x00000011 add dword ptr [esp], 1C965EE3h 0x00000018 xor edi, dword ptr [ebp+122D2B75h] 0x0000001e lea ebx, dword ptr [ebp+1244B071h] 0x00000024 jno 00007F3BD4C9CF8Bh 0x0000002a mov di, ax 0x0000002d push eax 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C61BF second address: 5C61C4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59875C second address: 598762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C43C8 second address: 5C440C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3BD4DEAE46h 0x00000009 jmp 00007F3BD4DEAE56h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jnp 00007F3BD4DEAE4Ch 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3BD4DEAE52h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C440C second address: 5C4427 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3BD4C9CF88h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3BD4C9CF8Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C49EE second address: 5C49FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnp 00007F3BD4DEAE46h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C4B5C second address: 5C4B66 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3BD4C9CF8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C4FD5 second address: 5C4FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C4FDB second address: 5C4FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C4FE1 second address: 5C4FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3BD4DEAE51h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C525D second address: 5C5261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C5261 second address: 5C527F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F3BD4DEAE53h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C5BA8 second address: 5C5BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C5BAF second address: 5C5BB4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C5FDE second address: 5C5FF8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F3BD4C9CF92h 0x00000012 ja 00007F3BD4C9CF86h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C5FF8 second address: 5C5FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CB98A second address: 5CB98E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CBF61 second address: 5CBF65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CBF65 second address: 5CBF76 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CBF76 second address: 5CBF89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CBF89 second address: 5CBF8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CBF8D second address: 5CBF91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CBF91 second address: 5CBFA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CAE6E second address: 5CAE83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BD4DEAE51h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2708 second address: 5D2729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BD4C9CF97h 0x00000009 jng 00007F3BD4C9CF86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2729 second address: 5D2753 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE4Ah 0x00000007 jmp 00007F3BD4DEAE54h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F3BD4DEAE56h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D1C13 second address: 5D1C3A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BD4C9CF9Ah 0x00000008 jmp 00007F3BD4C9CF92h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 jnl 00007F3BD4C9CF86h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D1D61 second address: 5D1D70 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3BD4DEAE4Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D1D70 second address: 5D1D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D1D78 second address: 5D1DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3BD4DEAE46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3BD4DEAE59h 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D1DA5 second address: 5D1DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3BD4C9CF86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D244D second address: 5D2453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2453 second address: 5D246A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3BD4C9CF91h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D25C5 second address: 5D25C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D25C9 second address: 5D25D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2E7E second address: 5D2E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D3696 second address: 5D36A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D36A9 second address: 5D36B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F3BD4DEAE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D36B3 second address: 5D36B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D3D73 second address: 5D3D8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D3D8F second address: 5D3DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4C9CF98h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4F64 second address: 5D4F74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4F74 second address: 5D4F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3BD4C9CF86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4E57 second address: 5D4E69 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3BD4DEAE48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4E69 second address: 5D4E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4E6D second address: 5D4E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D5F47 second address: 5D5F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4E77 second address: 5D4E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D5F4B second address: 5D5F64 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3BD4C9CF8Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4E7B second address: 5D4E7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D670C second address: 5D6712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D83DD second address: 5D83ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3BD4DEAE46h 0x0000000a jo 00007F3BD4DEAE46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D83ED second address: 5D83FF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3BD4C9CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F3BD4C9CF8Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D9F8A second address: 5D9FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jc 00007F3BD4DEAE46h 0x0000000f jp 00007F3BD4DEAE46h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DAAFA second address: 5DAB0B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA811 second address: 5DA817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DAB0B second address: 5DAB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DEF6D second address: 5DEF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DEF74 second address: 5DEFD4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BD4C9CF88h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F3BD4C9CF88h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push ecx 0x00000028 pushad 0x00000029 mov dword ptr [ebp+1245D920h], edx 0x0000002f mov edx, dword ptr [ebp+12475FEBh] 0x00000035 popad 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D226Bh], edx 0x0000003f push 00000000h 0x00000041 jmp 00007F3BD4C9CF8Ch 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jo 00007F3BD4C9CF86h 0x00000050 pushad 0x00000051 popad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0FCF second address: 5E0FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3BD4DEAE4Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0137 second address: 5E013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0FE6 second address: 5E103B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+122D38A6h], ecx 0x00000010 mov edi, dword ptr [ebp+122DB612h] 0x00000016 push 00000000h 0x00000018 mov bl, 6Eh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F3BD4DEAE48h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 jo 00007F3BD4DEAE4Ch 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E103B second address: 5E103F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E013B second address: 5E0150 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E103F second address: 5E105A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F3BD4C9CF86h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F3BD4C9CF8Ch 0x00000015 jnp 00007F3BD4C9CF86h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0150 second address: 5E0156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E105A second address: 5E1060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E1060 second address: 5E1064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E1222 second address: 5E124C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3BD4C9CF95h 0x0000000e popad 0x0000000f push eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E331E second address: 5E3330 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3BD4DEAE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F3BD4DEAE4Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E628B second address: 5E629D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007F3BD4C9CF94h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E629D second address: 5E62A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5314 second address: 5E532C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E532C second address: 5E5331 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5331 second address: 5E5341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5341 second address: 5E53D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BD4DEAE51h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push ebx 0x0000000f call 00007F3BD4DEAE4Bh 0x00000014 mov edi, 2372554Bh 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b push dword ptr fs:[00000000h] 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F3BD4DEAE48h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c mov edi, dword ptr [ebp+122D2CF9h] 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 push esi 0x0000004a xor dword ptr [ebp+122D1CAAh], edx 0x00000050 pop edi 0x00000051 mov eax, dword ptr [ebp+122D0DA1h] 0x00000057 or edi, dword ptr [ebp+1246EBFBh] 0x0000005d push FFFFFFFFh 0x0000005f mov edi, edx 0x00000061 nop 0x00000062 jmp 00007F3BD4DEAE54h 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E53D5 second address: 5E53E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3BD4C9CF86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E6418 second address: 5E6427 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3BD4DEAE4Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E64FD second address: 5E6532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3BD4C9CF96h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC617 second address: 5EC679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F3BD4DEAE48h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 and bx, F5B2h 0x00000027 push 00000000h 0x00000029 mov ebx, dword ptr [ebp+122D2B8Dh] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F3BD4DEAE48h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b mov ebx, ecx 0x0000004d mov dword ptr [ebp+122D2EDDh], edx 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC679 second address: 5EC680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA664 second address: 5EA67D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007F3BD4DEAE54h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E7477 second address: 5E747D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E747D second address: 5E7539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jg 00007F3BD4DEAE4Bh 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F3BD4DEAE48h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 mov edi, dword ptr [ebp+1246EA57h] 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007F3BD4DEAE48h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c pushad 0x0000005d xor dword ptr [ebp+122D2461h], edi 0x00000063 xor ecx, dword ptr [ebp+1246EA57h] 0x00000069 popad 0x0000006a mov eax, dword ptr [ebp+122D0D2Dh] 0x00000070 mov di, 6493h 0x00000074 push FFFFFFFFh 0x00000076 xor dword ptr [ebp+122D37D1h], esi 0x0000007c nop 0x0000007d jp 00007F3BD4DEAE52h 0x00000083 push eax 0x00000084 pushad 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F3BD4DEAE4Ah 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E7539 second address: 5E753D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EE7E2 second address: 5EE7E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EEA33 second address: 5EEA4B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3BD4C9CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jg 00007F3BD4C9CF88h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE076 second address: 5FE08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F3BD4DEAE4Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007F3BD4DEAE46h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE08D second address: 5FE091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE091 second address: 5FE09B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3BD4DEAE46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE1F0 second address: 5FE204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4C9CF8Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE365 second address: 5FE374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F3BD4DEAE46h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE374 second address: 5FE378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE378 second address: 5FE39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F3BD4DEAE4Ch 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE39B second address: 5FE39F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE39F second address: 5FE3A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE3A5 second address: 5FE3B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3BD4C9CF86h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 605982 second address: 605986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 605986 second address: 60598A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60598A second address: 6059A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3BD4DEAE55h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C04F second address: 60C05E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F3BD4C9CF86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C05E second address: 60C06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F3BD4DEAE46h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C06B second address: 60C075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3BD4C9CF86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C075 second address: 60C079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C4A4 second address: 60C4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C4A9 second address: 60C4B6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3BD4DEAE48h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C7E9 second address: 60C7F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C7F0 second address: 60C7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C7F9 second address: 60C7FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C93F second address: 60C945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C945 second address: 60C94B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60C94B second address: 60C95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F3BD4DEAE46h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC3B5 second address: 5DC3C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F3BD4C9CF8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC3C3 second address: 5DC3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3BD4DEAE55h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC3E4 second address: 5DC45D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F3BD4C9CF91h 0x0000000f pushad 0x00000010 jnc 00007F3BD4C9CF86h 0x00000016 jns 00007F3BD4C9CF86h 0x0000001c popad 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 pushad 0x00000023 pushad 0x00000024 jmp 00007F3BD4C9CF8Ch 0x00000029 push eax 0x0000002a pop eax 0x0000002b popad 0x0000002c ja 00007F3BD4C9CF8Ch 0x00000032 popad 0x00000033 pop eax 0x00000034 jmp 00007F3BD4C9CF8Ch 0x00000039 call 00007F3BD4C9CF89h 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F3BD4C9CF94h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC45D second address: 5DC4C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3BD4DEAE58h 0x0000000e popad 0x0000000f push eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jp 00007F3BD4DEAE46h 0x0000001a popad 0x0000001b pop ecx 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 pushad 0x00000021 pushad 0x00000022 jmp 00007F3BD4DEAE4Dh 0x00000027 jmp 00007F3BD4DEAE4Eh 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f jbe 00007F3BD4DEAE46h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC4C8 second address: 5DC507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007F3BD4C9CF8Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3BD4C9CF93h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC5F5 second address: 5DC5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC67D second address: 5DC681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC9A7 second address: 5DC9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC9AB second address: 5DC9B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F3BD4C9CF86h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DCDF3 second address: 5DCDF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DD11D second address: 5DD16E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3BD4C9CF9Eh 0x00000008 jmp 00007F3BD4C9CF98h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 pop eax 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b jmp 00007F3BD4C9CF92h 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 jnl 00007F3BD4C9CF86h 0x00000029 popad 0x0000002a popad 0x0000002b mov eax, dword ptr [eax] 0x0000002d push ecx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DD16E second address: 5DD18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3BD4DEAE50h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DD277 second address: 5DD27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DD27B second address: 5DD27F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DD27F second address: 5DD289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611114 second address: 61111F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F3BD4DEAE46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6113F4 second address: 611405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3BD4C9CF86h 0x00000009 jo 00007F3BD4C9CF86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611405 second address: 61140D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61155E second address: 611576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4C9CF94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611576 second address: 61159C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3BD4DEAE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F3BD4DEAE58h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61159C second address: 6115C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f jbe 00007F3BD4C9CF8Ah 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 js 00007F3BD4C9CF92h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6115C6 second address: 6115CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61172D second address: 611744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4C9CF8Fh 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611A0A second address: 611A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jnl 00007F3BD4DEAE46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61624E second address: 61626B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF99h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58C843 second address: 58C847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58C847 second address: 58C850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F2BE second address: 61F2CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F2CA second address: 61F2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 js 00007F3BD4C9CF8Eh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F40A second address: 61F410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F410 second address: 61F43A instructions: 0x00000000 rdtsc 0x00000002 je 00007F3BD4C9CF8Ah 0x00000008 pushad 0x00000009 jmp 00007F3BD4C9CF95h 0x0000000e jns 00007F3BD4C9CF86h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F43A second address: 61F460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jmp 00007F3BD4DEAE4Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3BD4DEAE4Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61F460 second address: 61F464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61FE05 second address: 61FE16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4DEAE4Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61FE16 second address: 61FE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61FE1F second address: 61FE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3BD4DEAE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62032B second address: 620343 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jnl 00007F3BD4C9CF86h 0x0000000f pop ebx 0x00000010 jo 00007F3BD4C9CF8Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 620343 second address: 62035E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jne 00007F3BD4DEAE5Ch 0x0000000d pushad 0x0000000e jc 00007F3BD4DEAE46h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 627316 second address: 62731F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62731F second address: 627325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 627325 second address: 627329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626C90 second address: 626C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626C96 second address: 626CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62984F second address: 629853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A189 second address: 59A18D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A18D second address: 59A197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62D871 second address: 62D877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62D877 second address: 62D87B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62D9A8 second address: 62D9E6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F3BD4C9CF95h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jns 00007F3BD4C9CF86h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3BD4C9CF97h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62DE10 second address: 62DE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62DE14 second address: 62DE32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3BD4C9CF94h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62DE32 second address: 62DE78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE59h 0x00000007 jmp 00007F3BD4DEAE4Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3BD4DEAE59h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632288 second address: 63228E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63228E second address: 6322BC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3BD4DEAE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F3BD4DEAE46h 0x00000011 jc 00007F3BD4DEAE46h 0x00000017 jmp 00007F3BD4DEAE56h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63155F second address: 631565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6316AD second address: 6316B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6316B2 second address: 6316B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6316B7 second address: 6316BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 631984 second address: 631999 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F3BD4C9CF8Dh 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637F4F second address: 637F90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007F3BD4DEAE48h 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 jbe 00007F3BD4DEAE46h 0x00000019 jmp 00007F3BD4DEAE58h 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637F90 second address: 637F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636A6C second address: 636A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636A74 second address: 636A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636E75 second address: 636EB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE4Ch 0x00000007 jmp 00007F3BD4DEAE56h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3BD4DEAE52h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636EB1 second address: 636EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636EB5 second address: 636ECE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE55h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636ECE second address: 636ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636ED8 second address: 636EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 636EDC second address: 636EE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DCC0B second address: 5DCC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DCC10 second address: 5DCC6B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3BD4C9CF99h 0x0000000e nop 0x0000000f clc 0x00000010 push 00000004h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F3BD4C9CF88h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c add dword ptr [ebp+122DB64Fh], ecx 0x00000032 nop 0x00000033 pushad 0x00000034 jmp 00007F3BD4C9CF8Bh 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DCC6B second address: 5DCC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6405A0 second address: 6405A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6405A4 second address: 6405A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6405A8 second address: 6405C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3BD4C9CF92h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5892FD second address: 589302 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63E652 second address: 63E658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63E658 second address: 63E65C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63E7C3 second address: 63E7E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF98h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63EAFE second address: 63EB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jc 00007F3BD4DEAE4Ah 0x0000000b push eax 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 jmp 00007F3BD4DEAE56h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63F124 second address: 63F13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3BD4C9CF86h 0x0000000a jo 00007F3BD4C9CF92h 0x00000010 jo 00007F3BD4C9CF86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63F968 second address: 63F972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63F972 second address: 63F987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63F987 second address: 63F98D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63F98D second address: 63F991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63F991 second address: 63F9B8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3BD4DEAE55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jnl 00007F3BD4DEAE46h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63FCFC second address: 63FD0A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3BD4C9CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63FD0A second address: 63FD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63FFDB second address: 63FFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3BD4C9CF86h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F3BD4C9CF93h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63FFFC second address: 640002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6402C1 second address: 6402C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6488D1 second address: 6488D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6488D5 second address: 6488DB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6488DB second address: 6488E5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BD4DEAE4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6488E5 second address: 6488F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F3BD4C9CF8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 648B9B second address: 648B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 648B9F second address: 648BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 648BA3 second address: 648BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3BD4DEAE4Bh 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 648BBA second address: 648BC8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F3BD4C9CF8Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 648D36 second address: 648D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64F92E second address: 64F934 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64F934 second address: 64F954 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE4Eh 0x00000007 push ebx 0x00000008 jmp 00007F3BD4DEAE4Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64FAAC second address: 64FAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64FF42 second address: 64FF4C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3BD4DEAE4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 650598 second address: 65059C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 650E90 second address: 650E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3BD4DEAE46h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6583B5 second address: 6583BF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BD4C9CF8Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BBB4 second address: 65BBBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 65BBBC second address: 65BBC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jne 00007F3BD4C9CF86h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66565E second address: 665664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59BB02 second address: 59BB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59BB0B second address: 59BB0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59BB0F second address: 59BB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F3BD4C9CF8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 669B07 second address: 669B0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 669B0B second address: 669B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3BD4C9CF92h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 669B19 second address: 669B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 669B1F second address: 669B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4C9CF97h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 669539 second address: 669556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE58h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6696B2 second address: 6696B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66BEFA second address: 66BF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66BF00 second address: 66BF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66BF04 second address: 66BF14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3BD4DEAE4Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66BF14 second address: 66BF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66BF1A second address: 66BF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66BF1E second address: 66BF22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66DB27 second address: 66DB2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66DB2B second address: 66DB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jno 00007F3BD4C9CF86h 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F3BD4C9CF93h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c jno 00007F3BD4C9CF86h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 674679 second address: 674698 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3BD4DEAE54h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 674698 second address: 6746AC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3BD4C9CF86h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F3BD4C9CF86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 678838 second address: 67883F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67DB97 second address: 67DBB5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3BD4C9CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F3BD4C9CF92h 0x00000012 jc 00007F3BD4C9CF86h 0x00000018 jc 00007F3BD4C9CF86h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67DBB5 second address: 67DBBA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67FB0D second address: 67FB38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF8Eh 0x00000007 jmp 00007F3BD4C9CF92h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67FB38 second address: 67FB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67FB3C second address: 67FB4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3BD4C9CF8Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67FB4C second address: 67FB62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE4Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F3BD4DEAE46h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 682B5C second address: 682B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6888CE second address: 6888D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688A19 second address: 688A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688A1E second address: 688A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3BD4DEAE55h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688A39 second address: 688A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688BB8 second address: 688BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3BD4DEAE59h 0x0000000a push edx 0x0000000b jo 00007F3BD4DEAE46h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688BDF second address: 688BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688BE7 second address: 688C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4DEAE54h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688D45 second address: 688D52 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3BD4C9CF86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688D52 second address: 688D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3BD4DEAE46h 0x0000000a jbe 00007F3BD4DEAE46h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 688D63 second address: 688D6A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 689D76 second address: 689D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68C857 second address: 68C85D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68C85D second address: 68C86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnp 00007F3BD4DEAE46h 0x0000000b jnp 00007F3BD4DEAE46h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68C9F8 second address: 68CA10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF92h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A4C99 second address: 6A4D1B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 jmp 00007F3BD4DEAE59h 0x0000000e jmp 00007F3BD4DEAE59h 0x00000013 pop ecx 0x00000014 jnl 00007F3BD4DEAE5Dh 0x0000001a jmp 00007F3BD4DEAE51h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F3BD4DEAE56h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AC518 second address: 6AC522 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3BD4C9CF86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AC522 second address: 6AC52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AB9F1 second address: 6AB9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F3BD4C9CF86h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AC0BD second address: 6AC0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AC243 second address: 6AC25B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF93h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AC25B second address: 6AC261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B12E9 second address: 6B12EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B12EF second address: 6B12F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B12F6 second address: 6B1310 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF90h 0x00000007 jc 00007F3BD4C9CF92h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58E2FA second address: 58E2FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58E2FE second address: 58E307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B0D04 second address: 6B0D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B62C9 second address: 6B62E3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3BD4C9CF8Ch 0x00000008 jo 00007F3BD4C9CF86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007F3BD4C9CF86h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9A53 second address: 6B9A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F3BD4DEAE59h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9A73 second address: 6B9A7A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9589 second address: 6B9591 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BB541 second address: 6BB545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BB545 second address: 6BB551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BB551 second address: 6BB555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BB555 second address: 6BB575 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4DEAE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B234E second address: 6B2354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B2354 second address: 6B235C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B0E26 second address: 6B0E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B0E2B second address: 6B0E3C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3BD4DEAE48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B0E3C second address: 6B0E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B0E40 second address: 6B0E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3BD4DEAE4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F3BD4DEAE54h 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F3BD4DEAE4Ch 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B0FB3 second address: 6B0FCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3BD4C9CF8Ch 0x00000007 jnl 00007F3BD4C9CF86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B0FCD second address: 6B100E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3BD4DEAE46h 0x00000008 js 00007F3BD4DEAE46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F3BD4DEAE4Bh 0x00000017 jmp 00007F3BD4DEAE4Ah 0x0000001c jmp 00007F3BD4DEAE54h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B117B second address: 6B11AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007F3BD4C9CF9Fh 0x0000000b jmp 00007F3BD4C9CF99h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3BD4C9CF8Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B11AC second address: 6B11BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F3BD4DEAE46h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D5AC3 second address: 5D5ACD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3BD4C9CF8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5DBE47 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 65C500 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7060000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042E003 rdtsc

0_2_0042E003

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B6A2F sidt fword ptr [esp-02h]

0_2_005B6A2F

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 8028

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006034FF GetSystemInfo,VirtualAlloc,

0_2_006034FF

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042E003 rdtsc

0_2_0042E003

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042B7DE LdrInitializeThunk,

0_2_0042B7DE

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: 7Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F78E5 GetSystemTime,GetFileTime,

0_2_005F78E5

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	271 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	271 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
time.windows.com	unknown	unknown	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560142
Start date and time:	2024-11-21 13:09:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	13.107.246.45
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	APPENDIX FORM_N#U00b045013-20241120.com.exe	Get hash	malicious	Remcos, GuLoader	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	Payslip-21 November, 2024 ZmPQwjYq1NGSTsWga2.htm	Get hash	malicious	BlackHacker JS Obfuscator	Browse	13.107.246.45
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	CB1.exe	Get hash	malicious	BlackMoon	Browse	13.107.246.45
	+11375 Caller left Vc MsG 8b1538917f01661e6746a0528d545dbeac3b40a5- 73945.msg	Get hash	malicious	HtmlDropper	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.508530255289309
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'754'048 bytes
MD5:	21f1d579996c0e223529d781d9390c05
SHA1:	db238f2cc489e22158603b17a49e6fd43b314d74
SHA256:	64a5b57d555ef999a209a254c0324edd6f03832ee9f688444e101f526662c5b3
SHA512:	b33f98a8cd81a3cb0cffb4aaff551156e0aa384dffe8b7b7f6751370221be6f504f12c79aa38df7967c9c06a57b42e59d76f12fa3594e797d42aabc2896277c9
SSDEEP:	24576:RBs2Yty3S5XqyOqARl+LWWQsmQn7AKJKrAs3KuOYF5QadGUM768SYKXaTV6cbATy:RCqq2YLWWQi7V681eq6STpzL0a
TLSH:	D3D517A2B80972CFD48E17B8917BCD47995D03B94B1048CBD86CA87E7D77EC115ABC28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$.............. ...`....@.. ...............................*...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6a8000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F3BD515A5EAh
pmulhuw mm5, qword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	5dc43ccccd699f626932708542fa3ee4	False	0.9320746527777778	data	7.765265667159949	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ybikrwjp	0xa000	0x29c000	0x29a600	da2a275458efbbbaaf33817748b24102	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qvqhdqdc	0x2a6000	0x2000	0x400	1636b837ee9d74f7357d5964eb7c4279	False	0.7763671875	data	6.156539531587037	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2a8000	0x4000	0x2200	856a74e16f3441fd89886941e9ac9702	False	0.006548713235294118	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 13:10:07.298259974 CET	64661	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 13:10:07.298259974 CET	192.168.2.7	1.1.1.1	0xc749	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 13:10:07.532176018 CET	1.1.1.1	192.168.2.7	0xc749	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 13:10:09.857238054 CET	1.1.1.1	192.168.2.7	0x645d	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 13:10:09.857238054 CET	1.1.1.1	192.168.2.7	0x645d	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:10:12
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x420000
File size:	2'754'048 bytes
MD5 hash:	21F1D579996C0E223529D781D9390C05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	3.3%
Signature Coverage:	4.7%
Total number of Nodes:	365
Total number of Limit Nodes:	21

Executed Functions

Function 006034FF Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11EA5FEC), ref: 0060350B
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 0060356C

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 4af632a7e565637fd7b40c90e0d05ed32e5ceb4f435ca7c3259a87bc479ac9d4
Instruction ID: 6a42d0aedb62269552cd65eaa84e9126e04a9a6e19cb3a039a5b9122af0208aa
Opcode Fuzzy Hash: 4af632a7e565637fd7b40c90e0d05ed32e5ceb4f435ca7c3259a87bc479ac9d4
Instruction Fuzzy Hash: A24150B1940216EEF729DF608C05BD7B7ADFF58741F1040A6B203DAAC2E7B196D487A4

Function 0042B7DE Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

!!iH, xrefs: 0042B94E

Memory Dump Source

Source File: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID:
String ID: !!iH
API String ID: 0-3430752988
Opcode ID: 54521641a1027243b436c47cb0607a224afa3aa5b952038f992c526b27bdb426
Instruction ID: 674de83f56a6aa592520747a62db97739ee2c4d6df250995d683ba5c696dead5
Opcode Fuzzy Hash: 54521641a1027243b436c47cb0607a224afa3aa5b952038f992c526b27bdb426
Instruction Fuzzy Hash: 7FE08CF13085958ACB1BAF24A801BAA7719DF40B04FD0411AFA859AA89CB2D1D5687DA

Function 005F4E6B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 005F4F7C
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 005F4F90

Strings

.dll, xrefs: 005F4EB3
1002, xrefs: 005F4F46
.exe, xrefs: 005F4ED7

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: d358cce6f5ee6ede5e6d5c9632931a1a9ecdf6906fb58f09f0efb0eb0fe08ddb
Instruction ID: a1c466c625401f1b2403940d2e554e26f73c22331722649c86866e803f70f65b
Opcode Fuzzy Hash: d358cce6f5ee6ede5e6d5c9632931a1a9ecdf6906fb58f09f0efb0eb0fe08ddb
Instruction Fuzzy Hash: BB318A7180420EEFDF24AF54D808ABE7F7AFF48340F104159FB0986260D7799AA0DE52

Function 005F5371 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,005F5303,?,00000000,00000000), ref: 005F542E
GetModuleHandleA.KERNEL32(00000000,?,?,?,005F5303,?,00000000,00000000), ref: 005F543C

Strings

.dll, xrefs: 005F53A4

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: 767756e302530157aedaf233e3189484ba19d8e93d0699ad953984e4bc3ff3c1
Instruction ID: b563ce36750847a64c68d86e40a0fb73481e966c60bb2b09e6e71caf88c665bf
Opcode Fuzzy Hash: 767756e302530157aedaf233e3189484ba19d8e93d0699ad953984e4bc3ff3c1
Instruction Fuzzy Hash: F8112E30105A0EEAEF31DF54C80D77D7EB1BF40386F145225BB0285496E7BD9AE4DAA2

Function 005F7CCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00E503CC,-11EA5FEC), ref: 005F7D44
GetFileAttributesA.KERNEL32(00000000,-11EA5FEC), ref: 005F7D52

Strings

@, xrefs: 005F7CF7

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 0736ebec810bba124c9c73f2f074c6cae60598d96019467a91e80b456514a9f8
Instruction ID: 00a79bb6edd6ae054260590a379bb353316cd5e3daa04af49fda5dfe3765e74e
Opcode Fuzzy Hash: 0736ebec810bba124c9c73f2f074c6cae60598d96019467a91e80b456514a9f8
Instruction Fuzzy Hash: 3B014B7010820DFAEF21AF68C90D7BC7E71BF48340F604125E702A94A1C3B89B92EA40

Function 005F3D4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 005F3DAD

Strings

\\?\, xrefs: 005F3E08

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: 66cde97e5b6e88c05fe61f7876ca5f3c8f1e09e8e1c1fdd468bf3c0515e0170c
Instruction ID: c8f35d7ed2361f27c964347761caf0231e36a590208262b472c8a594aceb57cc
Opcode Fuzzy Hash: 66cde97e5b6e88c05fe61f7876ca5f3c8f1e09e8e1c1fdd468bf3c0515e0170c
Instruction Fuzzy Hash: C831F93690020EFFEF219F94C809FAEBB7ABF49744F000154FB01A5060D37A9A65DB54

Function 005F545A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005F3798: GetCurrentThreadId.KERNEL32 ref: 005F37A7
Part of subcall function 005F3798: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005F37EA

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 005F54BE

Strings

.dll, xrefs: 005F547B

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CurrentHandleModuleSleepThread
String ID: .dll
API String ID: 683542999-2738580789
Opcode ID: e984ccfbc9ac7d0ad81b90843ab27b5b5f7f134f05925d6e4ae0c1876f6c7d4b
Instruction ID: 79c60ac95fa5c07cef80b8483623f0f6bd9e21292fa84b73b94ba1b908a737ef
Opcode Fuzzy Hash: e984ccfbc9ac7d0ad81b90843ab27b5b5f7f134f05925d6e4ae0c1876f6c7d4b
Instruction Fuzzy Hash: EFF06D71101709BFEF00AF54C84EAB93FA1BF48341F108025FF0989052E339C6A0AA11

Function 005F7EE7 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00E503CC,?,?,-11EA5FEC,?,?,?,-11EA5FEC,?), ref: 005F7F99

Part of subcall function 005F7E99: IsBadWritePtr.KERNEL32(?,00000004), ref: 005F7EA7

CreateFileA.KERNEL32(?,?,?,-11EA5FEC,?,?,?,-11EA5FEC,?), ref: 005F7FB9

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: 57355da21b1257838b4dee67f565a048a295ddb598db9d8b1fff1a30168a3c4a
Instruction ID: a4ea9e30aa5f0d9ad21e20c36616a69e841600611a30d52acfea7fe044c5fe60
Opcode Fuzzy Hash: 57355da21b1257838b4dee67f565a048a295ddb598db9d8b1fff1a30168a3c4a
Instruction Fuzzy Hash: 5511D33200814EFBEF22AFA4CC09BA93E72BF4C344F148556FA0565465D77A8AA1EB51

Function 005F7853 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005F3798: GetCurrentThreadId.KERNEL32 ref: 005F37A7
Part of subcall function 005F3798: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005F37EA

GetCurrentProcess.KERNEL32(-11EA5FEC), ref: 005F7860
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 005F78C6

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessSleepThread
String ID:
API String ID: 2846201637-0
Opcode ID: 055707be91383bd63930a3954f8f357af691e4a59acac41ad1839f54413e0430
Instruction ID: ca8d9613e9bbf68d4e9f106240d8f45af477358c7b2a6e233a64b4aa836d808a
Opcode Fuzzy Hash: 055707be91383bd63930a3954f8f357af691e4a59acac41ad1839f54413e0430
Instruction Fuzzy Hash: DB01D67210454EFA9F12AFA8DC4DCAE3F65BF887907004525FA15A4021D739C661EB61

Function 005F3798 Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 005F37A7
Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005F37EA

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: 6a5a9148d2602abf1df91ff887c6d467fcb48ca908740165de8a2810141acde1
Instruction ID: f4b95362c08be140329577fa228b5ff51b062a0c950c4b4d322fd7f0a3cb60e4
Opcode Fuzzy Hash: 6a5a9148d2602abf1df91ff887c6d467fcb48ca908740165de8a2810141acde1
Instruction Fuzzy Hash: B3F0B4F150610DEFEB21AF64C84977F7AB4FF44309F200039D20285081D77A2B89DA92

Function 00603F2B Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6cb138a0f92e84c3db53b5c860eff399ddc1db7d1617c536a5d218000c78a4f
Instruction ID: f45ced6af416c23ba221a7b4cc964c0bb1379f217536d6a9b411f34c8b1cfe3b
Opcode Fuzzy Hash: e6cb138a0f92e84c3db53b5c860eff399ddc1db7d1617c536a5d218000c78a4f
Instruction Fuzzy Hash: 914159B294020AAFDB38CF10C944BAB77B6FF00311F248455EB03AA6C1C771AD91DB95

Function 005F5ED2 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 005F5F87

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a3cf3b89c394c8dcb5134ac4727d1a35698555d192e19ab065296e0fc62a14a5
Instruction ID: 11ccb049afff4c168cf582b914dbf67899f428afa1e89f2817dcb333df3581d2
Opcode Fuzzy Hash: a3cf3b89c394c8dcb5134ac4727d1a35698555d192e19ab065296e0fc62a14a5
Instruction Fuzzy Hash: 3D315EB1500609FAEF209F64DC49FADBFB8FB44314F208169F705AA191E7799A51CB10

Function 005F56EE Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 005F5770

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fdd7ce81fd2225799d68ee9601087092e8b686a2ad3ea79382d07a16b615fb6e
Instruction ID: 085833b2e1f2bd479c6223b8c1bb05d125abcd2a4c98e7f19008a5e77bceb816
Opcode Fuzzy Hash: fdd7ce81fd2225799d68ee9601087092e8b686a2ad3ea79382d07a16b615fb6e
Instruction Fuzzy Hash: 1131C371540609FFEB20AF68DC49FA97BB8FB44764F204225F711AE0D1E3B9A5428B50

Function 00603C78 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00603D25

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 7aff4e077d6eb09092ebc333b76255e4bfae00cc0dcbc0b4f6145b81f132f98b
Instruction ID: 8fedb8c967396ac657f4a83ba547753fab79da6eca5693434bfdb8bdefb01672
Opcode Fuzzy Hash: 7aff4e077d6eb09092ebc333b76255e4bfae00cc0dcbc0b4f6145b81f132f98b
Instruction Fuzzy Hash: 8811E671A812349FEB348A15CC48BEBB77DEF44756F1040A5E805A63C1D7709FC98BA2

Function 04EB0D41 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04EB0DCD

Memory Dump Source

Source File: 00000000.00000002.1523645951.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: adce696966cece80d728da6cb8bab1a0931c3ea0f66359d42c1539094e89edf8
Instruction ID: 2f9497e8dbd11780c8086463d1e5c586eb23efee31fb47f4bd152e3e3d2c4690
Opcode Fuzzy Hash: adce696966cece80d728da6cb8bab1a0931c3ea0f66359d42c1539094e89edf8
Instruction Fuzzy Hash: B82138B6C002099FDB50DF99D885BDFFBF5EB88320F14822AD908AB244D734A541CFA5

Function 04EB0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04EB0DCD

Memory Dump Source

Source File: 00000000.00000002.1523645951.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 0f15a9cbaa10da9e6188e597687c21e0ee1e886668b31dffc729b0a1b3f71052
Instruction ID: 5d4146de5d9b6901bcbfd7bab5f3b4d3f9426496dc5f141d6ceee3045edda801
Opcode Fuzzy Hash: 0f15a9cbaa10da9e6188e597687c21e0ee1e886668b31dffc729b0a1b3f71052
Instruction Fuzzy Hash: BF2127B6C012199FCB50DF99D885BDEFBF5FB88310F14821AD908AB244D734A541CFA4

Function 04EB1509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04EB1580

Memory Dump Source

Source File: 00000000.00000002.1523645951.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 61e0bf84088b2da965d07a0e22b6a72dd06e225f7735bd67548cf0546e401e4a
Instruction ID: 3a278ea6c965ab074636f2a939702a74dd2aa8118b7175ea32992166d01070d9
Opcode Fuzzy Hash: 61e0bf84088b2da965d07a0e22b6a72dd06e225f7735bd67548cf0546e401e4a
Instruction Fuzzy Hash: 5B2117B1D003499FDB20CF9AC545BDEFBF4EB48360F108029E959A7250D778AA44CFA5

Function 04EB1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04EB1580

Memory Dump Source

Source File: 00000000.00000002.1523645951.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 7579ecffd1e9b48998067eac1446c9e93c096d1ee0ed9521e66c389ba957325a
Instruction ID: 35547871479fa23a3686f43b212fa2af2b930562c73a4ad3641b42ea51908701
Opcode Fuzzy Hash: 7579ecffd1e9b48998067eac1446c9e93c096d1ee0ed9521e66c389ba957325a
Instruction Fuzzy Hash: D21129B1D003498FDB10CF9AC445BDEFBF4EB48360F108029E959A3250D378A544CFA5

Function 005F8A1F Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005F3798: GetCurrentThreadId.KERNEL32 ref: 005F37A7
Part of subcall function 005F3798: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005F37EA

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11EA5FEC), ref: 005F8AA6

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CurrentFileSleepThreadView
String ID:
API String ID: 2270672837-0
Opcode ID: f2b516849dfdde1398d590fb759b0dc2149e7396227d76f7eae7f2ffd73fd130
Instruction ID: 5c364a6f5157b228cbb9c923c1fbfa3770ee71def15c7c6a0e584adef3982eec
Opcode Fuzzy Hash: f2b516849dfdde1398d590fb759b0dc2149e7396227d76f7eae7f2ffd73fd130
Instruction Fuzzy Hash: 4D11937210010EFACF12AFA4DD099BE3E66FF89350B084516BA5255021DB3AD671EB61

Function 005F8807 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: 42299a6b55c5960796dc5f4ab24401f8772f762affbf9add79e68cedbbc36b97
Instruction ID: 3df5f9aac81c5342df96ec6f9eaf880d2a70029449f12abc17f6bc0b691f8c1e
Opcode Fuzzy Hash: 42299a6b55c5960796dc5f4ab24401f8772f762affbf9add79e68cedbbc36b97
Instruction Fuzzy Hash: B5113C7150020EEBDF11AFA4C80DABE3F65BF84384F544820FB1156061DB7DCA61EB51

Function 04EB1301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04EB1367

Memory Dump Source

Source File: 00000000.00000002.1523645951.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: b29acd4bf95d22bb48d95b92af5714dfac964c8f51bf872c6987491297e639da
Instruction ID: 53793e9e0f23d07b991eb8bc28bcfc3ad02913e10a3ef3a1500f22f8087c72b5
Opcode Fuzzy Hash: b29acd4bf95d22bb48d95b92af5714dfac964c8f51bf872c6987491297e639da
Instruction Fuzzy Hash: 981146B1C003498FDB10DF9AD545BEEFBF4EB48320F108429D558A3640D738A541CFA1

Function 04EB1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04EB1367

Memory Dump Source

Source File: 00000000.00000002.1523645951.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4eb0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: b4b57853af7037d9d92e9a83111aa12c1abbebd9dc2209cbe1f9f14f4ed8a985
Instruction ID: 017539a0a6a3274e6e5ef3b1f047af211b5d2c90a2cbd269aef4a63fae5c9af5
Opcode Fuzzy Hash: b4b57853af7037d9d92e9a83111aa12c1abbebd9dc2209cbe1f9f14f4ed8a985
Instruction Fuzzy Hash: 8C11F5B18003498FDB20DF9AC945BEEFBF4EB48324F14842AD558A3650D778A944CFA5

Function 005F80EB Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005F3798: GetCurrentThreadId.KERNEL32 ref: 005F37A7
Part of subcall function 005F3798: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005F37EA

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11EA5FEC,?,?,005F5E1A,?,?,00000400,?,00000000,?,00000000), ref: 005F8157

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CurrentFileReadSleepThread
String ID:
API String ID: 1253362762-0
Opcode ID: fdc362f6b7eaf24042e9edba3acafef5fc101d205e60747409a88c69537886df
Instruction ID: 17bf18e208faf43c867ebad9d4cf432eab3cce03c17906f4fbb3624f2fe16a3c
Opcode Fuzzy Hash: fdc362f6b7eaf24042e9edba3acafef5fc101d205e60747409a88c69537886df
Instruction Fuzzy Hash: 80F0B67210010EEBDF126F98DC09DAA3F66BB99380B004621BB0159021DB3AC6A2EB61

Function 005F50CE Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(005F4884,005F4884), ref: 005F5119

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d605b3ed7f71941c24c6231dd5f3f45cef86bd81f4ee5a297b415b4f1b404b5a
Instruction ID: fa3f7799a63d8cf84225c40e3f7c4888b9794aa1eea682a4988b1d4c43c4b173
Opcode Fuzzy Hash: d605b3ed7f71941c24c6231dd5f3f45cef86bd81f4ee5a297b415b4f1b404b5a
Instruction Fuzzy Hash: 33E0C93110150EBA9F117AA5D80D97E2F5ABE94380B108121BB5654022FA7DD661EA51

Function 005AE54A Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 005B1662

Memory Dump Source

Source File: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0ccf72eb9edc268931673b985631a7562bcf11550174cad31b0e2c0e3f43d8e0
Instruction ID: 85e46408190150b3a84673d54a5292e5da04f6384ad1378221d5e45f721495b2
Opcode Fuzzy Hash: 0ccf72eb9edc268931673b985631a7562bcf11550174cad31b0e2c0e3f43d8e0
Instruction Fuzzy Hash: A6D0A9F360CA04AFC7412F5884543ACBBD4FF89390F360C38E282C7A00EE704840878A

Function 005F3969 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 005F39CD

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 358537dd5bee54dc269a464df033494d39f0e08e8f220f8017984f3faea2d895
Instruction ID: 5092050e31e6bc880097f8483bae2a3ea446ec836ae8353c0618e94ed2395a49
Opcode Fuzzy Hash: 358537dd5bee54dc269a464df033494d39f0e08e8f220f8017984f3faea2d895
Instruction Fuzzy Hash: AE01D232A0410EFFEF119FA8CD09DAEBF76FF48B40F004165B501A4060D7B68A65DB60

Function 006038A2 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,0060389E,?,?,006035A4,?,?,006035A4,?,?,006035A4), ref: 006038C2

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b12a4bcc9b022256c34b0a5388b14f78540b78c2708146091538295e84b90df2
Instruction ID: 08496138101b44cbddd516e0bee81484fc5404d2f7943f39f0150187d6a26527
Opcode Fuzzy Hash: b12a4bcc9b022256c34b0a5388b14f78540b78c2708146091538295e84b90df2
Instruction Fuzzy Hash: 92F081B1900205EFE7248F14CD04B9ABBA9FF55762F108065F44A9B692E3B599D0DB90

Function 0042E4FE Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0042E5C7

Memory Dump Source

Source File: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b0d2211e9fb8dec36bc216b1545eebbaed43aabff9686b73230dfc0e7e393b1a
Instruction ID: f94c0f5e3f1550e4287b229a5a42fd1c488a957c563ad35c94d09b5336aca871
Opcode Fuzzy Hash: b0d2211e9fb8dec36bc216b1545eebbaed43aabff9686b73230dfc0e7e393b1a
Instruction Fuzzy Hash: 86011671508709DFC3449F36955856EBBE0EF84320F65892EE4C586640D3304981CB1B

Function 005F64EC Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 005F3798: GetCurrentThreadId.KERNEL32 ref: 005F37A7
Part of subcall function 005F3798: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005F37EA

CloseHandle.KERNELBASE(005F5EAF,-11EA5FEC,?,?,005F5EAF,?), ref: 005F652A

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CloseCurrentHandleSleepThread
String ID:
API String ID: 4003616898-0
Opcode ID: 6cb1f837301953a78455bd318f9f92d4a7e91161df7e2fa43153764db96bd75c
Instruction ID: 86ba8233ec800462d7966cef8ae534f7325e5a9f1dc449e114fbd0789a1cf351
Opcode Fuzzy Hash: 6cb1f837301953a78455bd318f9f92d4a7e91161df7e2fa43153764db96bd75c
Instruction Fuzzy Hash: 20E048F224510FB5EF107BBCE80EC7E1F55BFD57407404531B302A5405DA6DC7919261

Function 0042E8F2 Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0042F700

Memory Dump Source

Source File: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e72f2755de823a4bba41177fe1e982f99936959111b595e7fdc421159eda6fef
Instruction ID: 628f8b3511a66b9c2d262af177e02e73ba5623fc44f95b9e6e09f099617c2cb8
Opcode Fuzzy Hash: e72f2755de823a4bba41177fe1e982f99936959111b595e7fdc421159eda6fef
Instruction Fuzzy Hash: 10E06DF5A0C1058FE7086F24D91573DBBE2FB50710F50852DDCC246748E6720C66CA0B

Function 005F55B1 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,005F3637,?,?), ref: 005F55B7

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0e696b786f3f1f6b23ae72c00d196715a7a51c2c7cf1a2099362c29344b3d316
Instruction ID: ff2466ac025636ac8fa8138088e11b1ded7a003b77add927c62003d616c47423
Opcode Fuzzy Hash: 0e696b786f3f1f6b23ae72c00d196715a7a51c2c7cf1a2099362c29344b3d316
Instruction Fuzzy Hash: D2B0923100054DBBCF02BF65DC0A84DBFAABF56398B008120BA0644831DB76EAA09B90

Non-executed Functions

Function 005F78E5 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 005F3798: GetCurrentThreadId.KERNEL32 ref: 005F37A7
Part of subcall function 005F3798: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005F37EA

GetSystemTime.KERNEL32(?,-11EA5FEC), ref: 005F791A
GetFileTime.KERNEL32(?,?,?,?,-11EA5FEC), ref: 005F795D

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: Time$CurrentFileSleepSystemThread
String ID:
API String ID: 3818558864-0
Opcode ID: ce16818507b60fe40c8ca7fcbfd8233354de813740b81e1cde619a8717a5d2c7
Instruction ID: 4f7cfee7749f24f6ca6e795d4e8551b13051a24a6dc528cb301cb829ec5b2fc3
Opcode Fuzzy Hash: ce16818507b60fe40c8ca7fcbfd8233354de813740b81e1cde619a8717a5d2c7
Instruction Fuzzy Hash: 6F01163220404EFBDF216F69ED0CDAE7F75FFC9720B108225F60295061C77A8AA1DA60

Function 005F87A3 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 005F87EA

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: 4c0debea577b16dafc2462d6c25f0846d9dd0a5d60269359713866d9603ff9dc
Instruction ID: 31e0e0aded7db51f26b2a28fb63bd05aae75f8b06d58f69f5f5746066d5698a0
Opcode Fuzzy Hash: 4c0debea577b16dafc2462d6c25f0846d9dd0a5d60269359713866d9603ff9dc
Instruction Fuzzy Hash: FDF0F83260120EEFCF01DF94C944AAD7FB2FF19314B208525FA0596611D776DAA1EF40

Function 0042E003 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d1922d40a458750ce2693da1406de9a118d80294ff7b262c81a513c59ae3cb
Instruction ID: 599ffbc7252288fce73ac2bc39234bc79b1ad15bcaf2551e392fc0df6f67d3ba
Opcode Fuzzy Hash: 79d1922d40a458750ce2693da1406de9a118d80294ff7b262c81a513c59ae3cb
Instruction Fuzzy Hash: 4301F7F618413A9DCB12CE465E045EF7A2DFA43370B704027F802D7902D3E60D1695A8

Function 005B6A2F Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19e9601f31df17d8e3b00613da5d1011c11311799d279fc7aac63243cfce2de
Instruction ID: 029f5642e81803bb383ba11a85dd5b86fcfbc1e1d0d0afc2e847087e9b4afbe5
Opcode Fuzzy Hash: a19e9601f31df17d8e3b00613da5d1011c11311799d279fc7aac63243cfce2de
Instruction Fuzzy Hash: CEE04F360041019ED700DF54C84599FFBF8FF19320F608445E444C7622C3394941CB29

Function 005F6E1B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 005F3798: GetCurrentThreadId.KERNEL32 ref: 005F37A7
Part of subcall function 005F3798: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005F37EA

Part of subcall function 005F7E99: IsBadWritePtr.KERNEL32(?,00000004), ref: 005F7EA7

wsprintfA.USER32 ref: 005F6E61
LoadImageA.USER32(?,?,?,?,?,?), ref: 005F6F25

Strings

%8x, xrefs: 005F6EEF, 005F6F22
%8x, xrefs: 005F6E5C, 005F6E5F

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: CurrentImageLoadSleepThreadWritewsprintf
String ID: %8x$%8x
API String ID: 2375920415-2046107164
Opcode ID: b5f8a85fbfeba9876a8eaf053a0135ca439cb71a479b982319b992b9e2027fc9
Instruction ID: ed3087df266d59b97d6bfa9d3142bec8bf81b18b95abb8660a0baa40202d1a25
Opcode Fuzzy Hash: b5f8a85fbfeba9876a8eaf053a0135ca439cb71a479b982319b992b9e2027fc9
Instruction Fuzzy Hash: B831047290020EFBDF119F94DC49EAEBF79FF88700F108125F611A61A1D7759A61DBA0

Function 005F79EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00E503CC,00004020,00000000,-11EA5FEC), ref: 005F7AD9

Strings

@, xrefs: 005F7A18

Memory Dump Source

Source File: 00000000.00000002.1520938934.00000000005EF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true

Associated: 00000000.00000002.1520495731.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520513527.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520529871.0000000000426000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520546382.000000000042A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520566057.0000000000436000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520666443.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520684379.0000000000585000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520706433.000000000059F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520724269.00000000005A1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520739644.00000000005AB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520777482.00000000005BF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520796120.00000000005C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520812202.00000000005C2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520830340.00000000005C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520847098.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520864285.00000000005C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520884362.00000000005DC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520902349.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520921466.00000000005E4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520971444.0000000000614000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1520993092.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521012970.000000000061C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521032405.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521058206.0000000000629000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521074231.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521099371.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521119820.0000000000639000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521137554.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521168084.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521189997.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521209486.0000000000649000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521223927.000000000064A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521240085.0000000000650000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521259585.0000000000651000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521276632.0000000000653000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521301604.0000000000672000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521323368.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521351636.00000000006A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521374196.00000000006A5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521398433.00000000006B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1521436972.00000000006C6000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_420000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 475a9f9d785a43e060fa38d6714f8e0514261fd44e4afde4cdcbff8d06d6b6c0
Instruction ID: b44386907ca2c3a642fe199bb325192834900d1d12755b69e4785bea8c251072
Opcode Fuzzy Hash: 475a9f9d785a43e060fa38d6714f8e0514261fd44e4afde4cdcbff8d06d6b6c0
Instruction Fuzzy Hash: 5F317CB550460AEFDF259F44C8487AEBFB1FF08300F008519E69567650C3B8A6A5CB80

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7812, Parent PID: 4056

General

Windows Analysis Report
file.exe

Function 006034FF Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 005F4E6B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 005F5371 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 005F7CCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 005F3D4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 005F545A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 005F7EE7 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 005F7853 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 005F3798 Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Function 00603F2B Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Function 005F5ED2 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 005F56EE Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 00603C78 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 04EB0D41 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON