Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1560659
MD5:	0088235be044c8a88124dd1b58b186e7
SHA1:	31107b10e2d6f4d9b928aaf8fc53ec209823c0c4
SHA256:	9ba473c3f4b60970545a8756d91f2461a84c6236aee185f89f064e0fbc60599e
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0088235BE044C8A88124DD1B58B186E7)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D7ABCF CryptVerifySignatureA,

0_2_00D7ABCF

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1864655192.0000000004C60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1F450		0_2_00D1F450
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1F449		0_2_00D1F449

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00D75BC4 appears 35 times

Source: file.exe, 00000000.00000000.1834896267.0000000000B86000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2908160 > 1048576

Source: file.exe

Static PE information: Raw size of ouvlnbnl is bigger than: 0x100000 < 0x2c0000

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W;ouvlnbnl:EW;ddjhkoos:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2d5dab should be: 0x2cf4ca

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: ouvlnbnl
Source: file.exe	Static PE information: section name: ddjhkoos
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1ED4A push ecx; mov dword ptr [esp], eax	0_2_00D1ED69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2BD12 push ebp; mov dword ptr [esp], 1368342Eh	0_2_00D2BD1A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2BD12 push ecx; mov dword ptr [esp], esi	0_2_00D2CD2D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8ED70 push edx; mov dword ptr [esp], ebx	0_2_00B8ED77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8ED70 push 326DF14Fh; mov dword ptr [esp], esi	0_2_00B8F181
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1EE7B push edx; mov dword ptr [esp], 40070935h	0_2_00D1EEBA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1EE7B push eax; mov dword ptr [esp], 20376A1Fh	0_2_00D1EF1B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1EE7B push 4C69F439h; mov dword ptr [esp], edx	0_2_00D1EFAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1EE7B push 54E0AFF8h; mov dword ptr [esp], eax	0_2_00D1EFBB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B908B0 push ecx; mov dword ptr [esp], edx	0_2_00B920B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5B0C3 push 789B7773h; mov dword ptr [esp], ebx	0_2_00D5B0CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9108C push edx; mov dword ptr [esp], eax	0_2_00B92D9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9108C push ecx; mov dword ptr [esp], 20C865F8h	0_2_00B92DA6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9108C push edx; mov dword ptr [esp], esp	0_2_00B92DB1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2D0E8 push 18217B5Ah; mov dword ptr [esp], edx	0_2_00D2D0F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D73090 push 36504D2Fh; mov dword ptr [esp], ebp	0_2_00D7315D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B948F6 push ebp; mov dword ptr [esp], ebx	0_2_00B95902
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B948F6 push 47B0FDA8h; mov dword ptr [esp], eax	0_2_00B9590A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1F889 push 01C206ECh; mov dword ptr [esp], edi	0_2_00D1F8E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1F889 push eax; mov dword ptr [esp], 744F7F9Ah	0_2_00D1F906
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D1F889 push ebp; mov dword ptr [esp], 52660402h	0_2_00D1F9C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B908D2 push ebx; mov dword ptr [esp], 7EFF34E2h	0_2_00B908DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B908D2 push 25C83085h; mov dword ptr [esp], ecx	0_2_00B91F8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2C0AF push ebx; mov dword ptr [esp], edi	0_2_00D2C0B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DF0859 push ebx; mov dword ptr [esp], ebp	0_2_00DF08B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2C05A push eax; mov dword ptr [esp], ecx	0_2_00D2C05F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2C05A push 2EBA513Bh; mov dword ptr [esp], ebp	0_2_00D2C072
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4304E push ebx; mov dword ptr [esp], 1FD9FF30h	0_2_00D43094
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4304E push 34197574h; mov dword ptr [esp], eax	0_2_00D430A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8C023 push eax; mov dword ptr [esp], edx	0_2_00B8C751
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DB081B push edx; mov dword ptr [esp], 77B02DC0h	0_2_00DB081F

Source: file.exe

Static PE information: section name: entropy: 7.787015841638829

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E3BA second address: B8E3C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E3C0 second address: B8E3CA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD1B4C006FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F14D second address: D1F15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007FD1B4C07CE6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F15A second address: D1F181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1B4C006FFh 0x00000009 jmp 00007FD1B4C00703h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1F2BC second address: D1F2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD1B4C07CEBh 0x0000000a pop esi 0x0000000b pushad 0x0000000c jo 00007FD1B4C07CEAh 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D23418 second address: D23430 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD1B4C006F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jo 00007FD1B4C0070Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D23430 second address: D2344B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push ecx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2344B second address: D23494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 mov di, si 0x0000000a push 00000003h 0x0000000c mov di, BD87h 0x00000010 push 00000000h 0x00000012 add cx, 8604h 0x00000017 xor cx, 6754h 0x0000001c push 00000003h 0x0000001e movzx edx, di 0x00000021 call 00007FD1B4C006F9h 0x00000026 jmp 00007FD1B4C006FFh 0x0000002b push eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FD1B4C006FCh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D23494 second address: D23498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D23498 second address: D234CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 js 00007FD1B4C006F6h 0x0000000d pop edi 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push edx 0x00000014 jne 00007FD1B4C006F8h 0x0000001a pop edx 0x0000001b mov eax, dword ptr [eax] 0x0000001d jp 00007FD1B4C006FEh 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push esi 0x00000028 push eax 0x00000029 push edx 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3517E second address: D35182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D42472 second address: D424A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C00706h 0x00000007 jnp 00007FD1B4C006F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 popad 0x00000014 jns 00007FD1B4C006F6h 0x0000001a popad 0x0000001b jc 00007FD1B4C00702h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D424A6 second address: D424AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D428EE second address: D428F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D428F6 second address: D42913 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007FD1B4C07CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD1B4C07CECh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D42913 second address: D42945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD1B4C00705h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FD1B4C00704h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D42C51 second address: D42C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D42DD6 second address: D42DFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C006FEh 0x00000007 jmp 00007FD1B4C006FBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FD1B4C006F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D43149 second address: D43151 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D36C8F second address: D36C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D36C93 second address: D36C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD1B4C07CE6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D43C94 second address: D43C98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D43C98 second address: D43CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD1B4C07CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D43DFC second address: D43E17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C00707h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44125 second address: D4412A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49338 second address: D4933C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47CF0 second address: D47CFA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD1B4C07CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47CFA second address: D47D01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4FEA1 second address: D4FEAD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD1B4C07CEEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5003E second address: D50042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51372 second address: D51378 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51524 second address: D51528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51528 second address: D5152E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5152E second address: D51539 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FD1B4C006F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D518BD second address: D518E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FD1B4C07CEFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D518E5 second address: D518EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D518EA second address: D51901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1B4C07CF3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EAD second address: D51EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EB1 second address: D51EB7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52401 second address: D52405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5450E second address: D5456E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+122D37C7h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FD1B4C07CE8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D380Bh] 0x00000034 push eax 0x00000035 push ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FD1B4C07CF5h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54E83 second address: D54E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C1B second address: D54C46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1B4C07CEFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C46 second address: D54C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54E88 second address: D54EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 7C196AB2h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FD1B4C07CE8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d push 00000000h 0x0000002f xchg eax, ebx 0x00000030 jmp 00007FD1B4C07CF4h 0x00000035 push eax 0x00000036 pushad 0x00000037 jmp 00007FD1B4C07CF3h 0x0000003c pushad 0x0000003d push ecx 0x0000003e pop ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C4C second address: D54C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5B77B second address: D5B785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FD1B4C07CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5DD21 second address: D5DD38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C006FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FD16 second address: D5FD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FD1A second address: D5FD24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FD24 second address: D5FD28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CE28 second address: D5CE2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5EF5A second address: D5EF6C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD1B4C07CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FD1B4C07CE6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BFAD second address: D5BFB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CE2C second address: D5CE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BFB1 second address: D5BFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FE4A second address: D5FECD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FD1B4C07CE8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov dword ptr [ebp+122D25D1h], edx 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov edi, 7650700Bh 0x0000003e mov eax, dword ptr [ebp+122D0455h] 0x00000044 mov ebx, dword ptr [ebp+12491BD3h] 0x0000004a push FFFFFFFFh 0x0000004c jmp 00007FD1B4C07CF7h 0x00000051 nop 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FD1B4C07CF7h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5F01D second address: D5F021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60A97 second address: D60B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FD1B4C07CE8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 jnc 00007FD1B4C07CE9h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push esi 0x00000031 call 00007FD1B4C07CE8h 0x00000036 pop esi 0x00000037 mov dword ptr [esp+04h], esi 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc esi 0x00000044 push esi 0x00000045 ret 0x00000046 pop esi 0x00000047 ret 0x00000048 mov edi, 2AF5F537h 0x0000004d mov ebx, dword ptr [ebp+122D39FFh] 0x00000053 push 00000000h 0x00000055 mov edi, 23FFC74Ch 0x0000005a mov dword ptr [ebp+124661C7h], eax 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 jnp 00007FD1B4C07CE6h 0x0000006a pop eax 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5FECD second address: D5FEFD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD1B4C0070Fh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 jg 00007FD1B4C006F6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60CB6 second address: D60CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D62B01 second address: D62B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D62B05 second address: D62B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63A07 second address: D63A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1B4C00701h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63A1D second address: D63A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D62D5D second address: D62E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C00705h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub dword ptr [ebp+122D2420h], edi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FD1B4C006F8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a pushad 0x0000003b call 00007FD1B4C00704h 0x00000040 ja 00007FD1B4C006F6h 0x00000046 pop esi 0x00000047 jmp 00007FD1B4C00708h 0x0000004c popad 0x0000004d mov eax, dword ptr [ebp+122D098Dh] 0x00000053 mov edi, ebx 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push ecx 0x0000005a call 00007FD1B4C006F8h 0x0000005f pop ecx 0x00000060 mov dword ptr [esp+04h], ecx 0x00000064 add dword ptr [esp+04h], 00000016h 0x0000006c inc ecx 0x0000006d push ecx 0x0000006e ret 0x0000006f pop ecx 0x00000070 ret 0x00000071 mov di, 6F57h 0x00000075 nop 0x00000076 pushad 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63A23 second address: D63A9C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD1B4C07CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FD1B4C07CE8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 jo 00007FD1B4C07CE8h 0x0000002f mov bl, 29h 0x00000031 push 00000000h 0x00000033 clc 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007FD1B4C07CE8h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 sub dword ptr [ebp+122D27C7h], eax 0x00000056 sub dword ptr [ebp+1248B2C1h], esi 0x0000005c push ebx 0x0000005d movsx ebx, bx 0x00000060 pop ebx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D62E11 second address: D62E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD1B4C006F6h 0x0000000a popad 0x0000000b jng 00007FD1B4C006FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63A9C second address: D63AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D649CB second address: D649DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD1B4C006F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FD1B4C006F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D65768 second address: D6576C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6576C second address: D65772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D63C36 second address: D63C70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FD1B4C07CF8h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D668CD second address: D668D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D65A34 second address: D65A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D65A3A second address: D65A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D65A3E second address: D65A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FD1B4C07CE8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67668 second address: D676B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, dword ptr [ebp+122D39AFh] 0x00000014 push 00000000h 0x00000016 or dword ptr [ebp+1246A561h], ebx 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FD1B4C006F8h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 jmp 00007FD1B4C006FAh 0x0000003d or dword ptr [ebp+122D31C4h], edx 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 pop eax 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D676B8 second address: D676C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D676C2 second address: D676C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6989B second address: D698B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FD1B4C07CECh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jbe 00007FD1B4C07CECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D68A11 second address: D68AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007FD1B4C00706h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FD1B4C006F8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d movzx ebx, dx 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FD1B4C006F8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Bh 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 mov eax, dword ptr [ebp+122D0471h] 0x00000057 pushad 0x00000058 mov ecx, dword ptr [ebp+122D3160h] 0x0000005e mov dword ptr [ebp+122D236Ch], edi 0x00000064 popad 0x00000065 push FFFFFFFFh 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FD1B4C006FCh 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D68AA8 second address: D68AC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1B4C07CF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D69B55 second address: D69B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1B4C00703h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6FE8F second address: D6FE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6FE93 second address: D6FE9B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D188F4 second address: D188FD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D188FD second address: D18917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD1B4C006F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007FD1B4C006F6h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18917 second address: D1891B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1891B second address: D18923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D731B7 second address: D731BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D731BD second address: D73211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FD1B4C00707h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push edi 0x0000000e jmp 00007FD1B4C00709h 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD1B4C00706h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D734D1 second address: D7350D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF5h 0x00000007 push eax 0x00000008 jmp 00007FD1B4C07CEAh 0x0000000d jmp 00007FD1B4C07CEEh 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jl 00007FD1B4C07CECh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A0B8 second address: D8A0C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1B4C006FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A537 second address: D8A53B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A53B second address: D8A541 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A541 second address: D8A547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A547 second address: D8A54E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A829 second address: D8A82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D909EA second address: D909F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD1B4C006F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D909F5 second address: D90A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1B4C07CF5h 0x00000008 jmp 00007FD1B4C07CF9h 0x0000000d popad 0x0000000e jnl 00007FD1B4C07CECh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jg 00007FD1B4C07D19h 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90A3F second address: D90A66 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD1B4C006F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD1B4C006FBh 0x00000011 jmp 00007FD1B4C00700h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8FE6C second address: D8FE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8F416 second address: D8F41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8F41C second address: D8F424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90703 second address: D9070A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9070A second address: D9070F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9070F second address: D90726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD1B4C006FCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90726 second address: D9072C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9072C second address: D90732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90732 second address: D90738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9945E second address: D99490 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD1B4C00709h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007FD1B4C00701h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99838 second address: D9985F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD1B4C07CE6h 0x00000008 jmp 00007FD1B4C07CF9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9985F second address: D99865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99865 second address: D99869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99869 second address: D99871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99871 second address: D99876 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99876 second address: D9987F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9987F second address: D99889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD1B4C07CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D999D0 second address: D999D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9A131 second address: D9A140 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD1B4C07CE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9A140 second address: D9A146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9A146 second address: D9A15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD1B4C07CF0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9A15D second address: D9A162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9A162 second address: D9A168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9A168 second address: D9A187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1B4C00707h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99146 second address: D9914C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F8DD second address: D9F8E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D58914 second address: D58918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D58918 second address: D58941 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C006FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FD1B4C00704h 0x00000013 jmp 00007FD1B4C006FEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D58941 second address: D36C8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call dword ptr [ebp+122D30F0h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FD1B4C07CECh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D58E16 second address: D58E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5937E second address: D593A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 je 00007FD1B4C07CE6h 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD1B4C07CF3h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D593A2 second address: D593A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D593A6 second address: D593AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5977D second address: D59796 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C00702h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59796 second address: D597EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FD1B4C07CF2h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FD1B4C07CE8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dx, 0380h 0x0000002b mov dx, di 0x0000002e movsx edx, dx 0x00000031 push 0000001Eh 0x00000033 mov cl, 45h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jc 00007FD1B4C07CE8h 0x0000003e push esi 0x0000003f pop esi 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D597EE second address: D597F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59BF4 second address: D59C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+12491BD3h], eax 0x00000010 lea eax, dword ptr [ebp+1249E6D3h] 0x00000016 push ecx 0x00000017 mov ecx, 7566682Ah 0x0000001c pop ecx 0x0000001d add dx, 7651h 0x00000022 push eax 0x00000023 ja 00007FD1B4C07CF0h 0x00000029 mov dword ptr [esp], eax 0x0000002c mov cx, 15BFh 0x00000030 jns 00007FD1B4C07CE9h 0x00000036 movzx edi, ax 0x00000039 lea eax, dword ptr [ebp+1249E68Fh] 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 call 00007FD1B4C07CE8h 0x00000047 pop eax 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c add dword ptr [esp+04h], 0000001Bh 0x00000054 inc eax 0x00000055 push eax 0x00000056 ret 0x00000057 pop eax 0x00000058 ret 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FD1B4C07CEFh 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9EB05 second address: D9EB2E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD1B4C00706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FD1B4C006F6h 0x00000013 jnl 00007FD1B4C006F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9EB2E second address: D9EB32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F09E second address: D9F0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jnp 00007FD1B4C00702h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F4B6 second address: D9F4E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD1B4C07CF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5932 second address: DA5937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5937 second address: DA593C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA593C second address: DA5951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD1B4C006F6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d jng 00007FD1B4C006FCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8E5F second address: DA8E69 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD1B4C07CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D02A32 second address: D02A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD1B4C006FDh 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jne 00007FD1B4C006F6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D02A51 second address: D02A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FD1B4C07CEEh 0x0000000e jo 00007FD1B4C07CE6h 0x00000014 jne 00007FD1B4C07CE6h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8802 second address: DA8810 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8810 second address: DA8816 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA89C0 second address: DA89E0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD1B4C006F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FD1B4C0070Ah 0x00000010 jmp 00007FD1B4C006FEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA89E0 second address: DA89E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA89E4 second address: DA89E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8B34 second address: DA8B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8B3A second address: DA8B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FD1B4C006FDh 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA8B4E second address: DA8B58 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD1B4C07CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAE514 second address: DAE518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAE518 second address: DAE51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAE51E second address: DAE524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAE524 second address: DAE548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FD1B4C07CE6h 0x00000009 jmp 00007FD1B4C07CF9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAE98F second address: DAE9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1B4C00707h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAE9AA second address: DAE9B0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAEB4A second address: DAEB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAECB3 second address: DAECC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D595CD second address: D595D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D595D4 second address: D595E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAFA55 second address: DAFA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAFA5B second address: DAFA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAFA62 second address: DAFA68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAFA68 second address: DAFA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAFA6C second address: DAFA70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAFA70 second address: DAFA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD1B4C07CEAh 0x00000010 jmp 00007FD1B4C07CF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAFA9B second address: DAFABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD1B4C00707h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAFABC second address: DAFAC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5876 second address: DB58A1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD1B4C00710h 0x00000008 pushad 0x00000009 jbe 00007FD1B4C006F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D11C3A second address: D11C53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FD1B4C07CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD1B4C07CEBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D11C53 second address: D11C5B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB4E0D second address: DB4E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB4E11 second address: DB4E30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD1B4C006F8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD1B4C006FDh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB4F57 second address: DB4F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB4F5D second address: DB4F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB4F61 second address: DB4F6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FD1B4C07CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB4F6D second address: DB4F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD1B4C006F6h 0x0000000a jmp 00007FD1B4C00703h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB4F8A second address: DB4F90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5105 second address: DB510F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB52A2 second address: DB52B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1B4C07CEFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0057 second address: DC0073 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1B4C00707h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0073 second address: DC0099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FD1B4C07CEEh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD1B4C07CEFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0099 second address: DC009D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0654 second address: DC0658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0658 second address: DC0662 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0662 second address: DC0666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0666 second address: DC066A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC066A second address: DC0682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD1B4C07CF0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0682 second address: DC068E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FD1B4C006F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0EF9 second address: DC0F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD1B4C07CE6h 0x0000000a pop edi 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pop eax 0x00000010 js 00007FD1B4C07CFEh 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC14CE second address: DC14D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1A21 second address: DC1A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1A28 second address: DC1A58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C00708h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD1B4C00704h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1D8B second address: DC1DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD1B4C07CF8h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1DAB second address: DC1DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC76FC second address: DC770D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FD1B4C07CF2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC770D second address: DC7713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7713 second address: DC7717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC690C second address: DC6924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD1B4C00703h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6924 second address: DC692A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC692A second address: DC6930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6A92 second address: DC6A98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6A98 second address: DC6AA2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD1B4C006F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6EA8 second address: DC6EC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7001 second address: DC700D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD1B4C006F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC700D second address: DC7013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC714F second address: DC7170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 je 00007FD1B4C006F6h 0x0000000d pop esi 0x0000000e jnl 00007FD1B4C006FCh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7170 second address: DC717A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD1B4C07CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC717A second address: DC7183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC72D8 second address: DC72DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC72DC second address: DC72E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC72E2 second address: DC72EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC72EB second address: DC730D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD1B4C006F6h 0x0000000a jmp 00007FD1B4C00707h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7437 second address: DC743C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0974A second address: D09778 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C006FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FD1B4C00701h 0x0000000f ja 00007FD1B4C006F6h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09778 second address: D0977D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD95D second address: DCD989 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD1B4C0070Ch 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FD1B4C00704h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD1B4C006FCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0B239 second address: D0B23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0B23E second address: D0B251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD1B4C006FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD3E25 second address: DD3E56 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD1B4C07CE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007FD1B4C07CF5h 0x00000016 popad 0x00000017 jl 00007FD1B4C07D0Ah 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD3E56 second address: DD3E71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FD1B4C00702h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD42EF second address: DD430F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD1B4C07CF6h 0x00000008 jns 00007FD1B4C07CE6h 0x0000000e jmp 00007FD1B4C07CEAh 0x00000013 jo 00007FD1B4C07CECh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD470A second address: DD4713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD49FB second address: DD49FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD49FF second address: DD4A0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FD1B4C006F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD4A0D second address: DD4A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FD1B4C07CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD4A19 second address: DD4A29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 js 00007FD1B4C006F6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD4A29 second address: DD4A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5221 second address: DD5237 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007FD1B4C006F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDD451 second address: DDD455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCE13 second address: DDCE19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCF4F second address: DDCF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCF55 second address: DDCF5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCF5B second address: DDCF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FD1B4C07CF4h 0x0000000b jmp 00007FD1B4C07CEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FD1B4C07CEEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCF86 second address: DDCF8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCF8C second address: DDCF96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCF96 second address: DDCF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDCF9A second address: DDCF9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF0E5B second address: DF0E65 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD1B4C006F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF0E65 second address: DF0E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD1B4C07CEAh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD1B4C07CECh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF08E7 second address: DF08EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF08EB second address: DF08F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF7244 second address: DF725D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FD1B4C00702h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF725D second address: DF7263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF7263 second address: DF7267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFFCAF second address: DFFCC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD1B4C07CE6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFFCC2 second address: DFFCCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0769C second address: E076A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007FD1B4C07CE6h 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E060A7 second address: E060AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E060AC second address: E060DC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD1B4C07CF0h 0x00000008 jmp 00007FD1B4C07CEAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD1B4C07CF4h 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E060DC second address: E060E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E060E2 second address: E06102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF2h 0x00000007 jns 00007FD1B4C07CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E06636 second address: E0663F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0663F second address: E06643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E06643 second address: E06649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E067B1 second address: E067CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD1B4C07CE6h 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007FD1B4C07CE6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E067CA second address: E067CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0699E second address: E069A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E069A4 second address: E069AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E069AE second address: E069B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E069B4 second address: E069B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E07340 second address: E07345 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0D380 second address: E0D384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0D538 second address: E0D53C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A437 second address: E1A43D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A43D second address: E1A442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A442 second address: E1A447 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A21E second address: E1A222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A222 second address: E1A243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD1B4C00708h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A243 second address: E1A24C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A24C second address: E1A251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A251 second address: E1A259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A259 second address: E1A25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A25F second address: E1A280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD1B4C07CF4h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A280 second address: E1A284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A284 second address: E1A2AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FD1B4C07D01h 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FD1B4C07CF9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1A2AB second address: E1A2D0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD1B4C0070Ah 0x00000008 pushad 0x00000009 jp 00007FD1B4C006F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E283A4 second address: E283DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jnc 00007FD1B4C07CE6h 0x0000000d popad 0x0000000e push ebx 0x0000000f jnp 00007FD1B4C07CE6h 0x00000015 pop ebx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007FD1B4C07CF9h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E283DA second address: E283DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E280EA second address: E280F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2A8AD second address: E2A8E3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD1B4C00707h 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FD1B4C006FFh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD1B4C00706h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2A8E3 second address: E2A91A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF9h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FD1B4C07CF5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2A91A second address: E2A920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E319BA second address: E319F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FD1B4C07CF2h 0x0000000f jnp 00007FD1B4C07CF6h 0x00000015 jmp 00007FD1B4C07CEAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E319F5 second address: E319FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E319FE second address: E31A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E31A04 second address: E31A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD1B4C006F6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007FD1B4C006FFh 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C45 second address: E30C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C49 second address: E30C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C4F second address: E30C74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD1B4C07CF9h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C74 second address: E30CAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FD1B4C00704h 0x0000000a jmp 00007FD1B4C00707h 0x0000000f popad 0x00000010 ja 00007FD1B4C00702h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E31267 second address: E3127A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1B4C07CEDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3127A second address: E3127F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E313C6 second address: E313DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E31554 second address: E3155E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD1B4C006F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3155E second address: E31575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FD1B4C07CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007FD1B4C07CE6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E31575 second address: E3157F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E332B1 second address: E332BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD1B4C07CE6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E332BE second address: E332C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FD1B4C006F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E332C9 second address: E332D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3315F second address: E33170 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C006FDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E36995 second address: E369C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD1B4C07CE6h 0x0000000a jmp 00007FD1B4C07CEBh 0x0000000f popad 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 jbe 00007FD1B4C07CFEh 0x0000001a jmp 00007FD1B4C07CF2h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E363AB second address: E363C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C006FFh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3BC7F second address: E3BC83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3BC83 second address: E3BC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3BC89 second address: E3BCA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3BCA7 second address: E3BCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3EE80 second address: E3EE84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3EE84 second address: E3EEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FD1B4C00709h 0x0000000e pop ebx 0x0000000f jng 00007FD1B4C006FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E40F8A second address: E40FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007FD1B4C07CF1h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD1B4C07CEEh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E40FB6 second address: E40FBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E40FBC second address: E40FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007FD1B4C07D00h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E40FCC second address: E40FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD1B4C00704h 0x00000009 push eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f jmp 00007FD1B4C006FAh 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E364F9 second address: E364FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E364FF second address: E36560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C006FBh 0x00000007 jo 00007FD1B4C006F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007FD1B4C00713h 0x00000015 jno 00007FD1B4C00715h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E36560 second address: E3657D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CEAh 0x00000007 jmp 00007FD1B4C07CEAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3657D second address: E36585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E378CF second address: E378F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD1B4C07CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007FD1B4C07CEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FD1B4C07CE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D542BA second address: D542BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D542BE second address: D542C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B8DB61 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D493A8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D47A7C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D58A72 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B8DB84 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DE0DEA instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7000000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1EE7B rdtsc

0_2_00D1EE7B

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7652

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D7FE05 GetSystemInfo,VirtualAlloc,

0_2_00D7FE05

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D1EE7B rdtsc

0_2_00D1EE7B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B8B968 LdrInitializeThunk,

0_2_00B8B968

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D79D11 GetSystemTime,GetFileTime,

0_2_00D79D11

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	261 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560659
Start date and time:	2024-11-22 05:15:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.44113909439315
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'908'160 bytes
MD5:	0088235be044c8a88124dd1b58b186e7
SHA1:	31107b10e2d6f4d9b928aaf8fc53ec209823c0c4
SHA256:	9ba473c3f4b60970545a8756d91f2461a84c6236aee185f89f064e0fbc60599e
SHA512:	795f3faf3ea95e0e796ef62353072a5cb6eaa00884694b62b747e43492dd4591cede7fae2a280711fcd8dc7ee6f509e46259564942d3448c403e2bc31ac85fd2
SSDEEP:	49152:UdM4Oztvu0r2INNaWBx9XcCdZ+c9GEFkRY:U7Ozt2w2INNamXfd8QGEFR
TLSH:	A0D52A61B95972CFF58A2A78D537CDC2591D03F547250CD3A879A8BABF63CC011BAC28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............,.. ...`....@.. ........................-......]-...`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6cc000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD1B4862E3Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	f079c3d602b04de0bb47c1d607500bb3	False	0.931640625	data	7.787015841638829	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ouvlnbnl	0xa000	0x2c0000	0x2c0000	f85800297e391ca258f6f52e7dd1629f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ddjhkoos	0x2ca000	0x2000	0x400	276b57e6aaec542a424816eeedd88ff6	False	0.7216796875	data	5.814925792198507	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2cc000	0x4000	0x2200	870be57b028008d290dff2a66e848d2e	False	0.06376378676470588	DOS executable (COM)	0.8022744602319511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	23:16:14
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb80000
File size:	2'908'160 bytes
MD5 hash:	0088235BE044C8A88124DD1B58B186E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	3.4%
Signature Coverage:	3.9%
Total number of Nodes:	358
Total number of Limit Nodes:	19

Executed Functions

Function 00D7FE05 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11745FEC), ref: 00D7FE11
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00D7FE72

Memory Dump Source

Source File: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 3da18648c0e8b0116ebd503bf675d47ae6260479a9705f7ceb4632c0f2c93011
Instruction ID: 3b63d79b78fe9aaac12ff51484b22c821a572b93ffba5e81ddc011dddfcbdd1d
Opcode Fuzzy Hash: 3da18648c0e8b0116ebd503bf675d47ae6260479a9705f7ceb4632c0f2c93011
Instruction Fuzzy Hash: ED41E2B1A40206AED735DF58D845B9ABBACFF48700F044476F607ED582EB6095F48BE0

Function 00D1EE7B Relevance: 1.6, APIs: 1, Instructions: 101
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00D1EE7B

Memory Dump Source

Source File: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8132ed79afc0706b168863b91e20fa65efd3aec9e13cdac8bd896a3a24c6cac7
Instruction ID: b1dc859b549a1db883aaf571eb3d15147ce32aeaebccbbc857d1d391870059c1
Opcode Fuzzy Hash: 8132ed79afc0706b168863b91e20fa65efd3aec9e13cdac8bd896a3a24c6cac7
Instruction Fuzzy Hash: 7D313CF150C600AFE315AF09D88177AFBE5EF88720F12882DE6C893750DA3548408BAB

Function 00B8B968 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cca82be202591bb39f6235d30fd084001381b5901d46a18ffb2616b2ad7d73
Instruction ID: 7a4416c2c5c74ba1cb716f74e03ed00f40bd71750d13dbb104d5b12e21338406
Opcode Fuzzy Hash: 95cca82be202591bb39f6235d30fd084001381b5901d46a18ffb2616b2ad7d73
Instruction Fuzzy Hash: 6BC02B914181C5988701BC7004E01B02E8008A72147190CD7C104C0017D00150018225

Function 00D77297 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 00D773A8
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00D773BC

Strings

.dll, xrefs: 00D772DF
1002, xrefs: 00D77372
.exe, xrefs: 00D77303

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: b985aa47364e1fea1a6a0275346fab8f3a35ba1cf5f130128149dfbdbd41585b
Instruction ID: 72cd3eaf267fd9e72f7565bb7403cfb31700858d743b974482841b79af038d3b
Opcode Fuzzy Hash: b985aa47364e1fea1a6a0275346fab8f3a35ba1cf5f130128149dfbdbd41585b
Instruction Fuzzy Hash: C7318731508219EFCF21AF50D904AAD3B7AFF04300F14C926FC6A961A1E771C9A0EBB1

Function 00D80831 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.exe, xrefs: 00D8095C, 00D809A2, 00D8096D, 00D80980
.exe, xrefs: 00D80997

Memory Dump Source

Source File: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID: .exe$.exe
API String ID: 0-1392631246
Opcode ID: 12783744cf0928c58748b301b9ce64bc1915b1ec5935e3907f7137e9f6aa85ef
Instruction ID: 39dc2a90c4b5bc73d79f0560c24c3bf69d2263d8bc000738ba3233bd86c8831c
Opcode Fuzzy Hash: 12783744cf0928c58748b301b9ce64bc1915b1ec5935e3907f7137e9f6aa85ef
Instruction Fuzzy Hash: 34416971900205EFEB65FF14D944BAD7FB1FF00324F288495E942AA192D371A8A8DFA5

Function 00D7779D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00D7772F,?,00000000,00000000), ref: 00D7785A
GetModuleHandleA.KERNEL32(00000000,?,?,?,00D7772F,?,00000000,00000000), ref: 00D77868

Strings

.dll, xrefs: 00D777D0

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: a5a8cf0e811e232467c1ac44b0a3fe5337e8d04d07277c3ed0d8a2da1900e57b
Instruction ID: da2b8b595bb10166bfb0f87d24dde16a2edd03c356df703f74a564f8fe155030
Opcode Fuzzy Hash: a5a8cf0e811e232467c1ac44b0a3fe5337e8d04d07277c3ed0d8a2da1900e57b
Instruction Fuzzy Hash: 8E113C30348A06EBDB319F14C80C7A97672FF00345F089A21A449844A1F7F5D9E4DAB3

Function 00D7A0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00EC1214,-11745FEC), ref: 00D7A170
GetFileAttributesA.KERNEL32(00000000,-11745FEC), ref: 00D7A17E

Strings

@, xrefs: 00D7A123

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 2c33b48a489ac1a96d70ee767d34efee72f41b57522b3ca79a1dcbeef33f7bc8
Instruction ID: e14b82a4df570377376048d26c7122f1022ba3c144cb755c9029e7f50807587a
Opcode Fuzzy Hash: 2c33b48a489ac1a96d70ee767d34efee72f41b57522b3ca79a1dcbeef33f7bc8
Instruction Fuzzy Hash: 4F018130104744FBEB219F5CC90A7AC7F70EF80305F64C125E84A69191F7B09A92DB72

Function 00D2BD12 Relevance: 4.6, APIs: 3, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00D2DB81
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00D2DBA8
GetNativeSystemInfo.KERNELBASE(?), ref: 00D2DBFF

Memory Dump Source

Source File: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: aa327d74e85173fc44f889163c72d9d2f17771f75d1e15ccd0dcf265fa9f0ee7
Instruction ID: b6c520a44b26d6512f386ed283a45b67dfef15b27bcdf85f135368af02cae7e3
Opcode Fuzzy Hash: aa327d74e85173fc44f889163c72d9d2f17771f75d1e15ccd0dcf265fa9f0ee7
Instruction Fuzzy Hash: E131297150825ECEDF21DF50D848AEF3BFAFB14308F45052AE84686910D7B69CA4DF29

Function 00D1ED4A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00D1ED4A

Strings

FYo, xrefs: 00D1ED8A

Memory Dump Source

Source File: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: FYo
API String ID: 1029625771-3913050832
Opcode ID: f340eddba7b5eeaf878a58ddfcf3aed9c3028f20b7f8fe77930cd141cb7ac5e0
Instruction ID: 53c7664503b042a37c342b28fb8a3cf4ba05163b82088337910bc813a9340555
Opcode Fuzzy Hash: f340eddba7b5eeaf878a58ddfcf3aed9c3028f20b7f8fe77930cd141cb7ac5e0
Instruction Fuzzy Hash: 6C312EF250C200AFD711AF19EC81A6AFBE5FF58720F16492DE6C993710E63698508B97

Function 00D76177 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 00D761D9

Strings

\\?\, xrefs: 00D76234

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: 72d3edf9ac4587c20b4b66029913e2efc5ab1bf7b0622cff417b58841b092acc
Instruction ID: 70f239bf469758fa74c466882a7bb024866722f2f8f5f8e82bb0bb4f06b86680
Opcode Fuzzy Hash: 72d3edf9ac4587c20b4b66029913e2efc5ab1bf7b0622cff417b58841b092acc
Instruction Fuzzy Hash: CD313732601A09BFDF62CF94C909B9EBA75FF44301F048154FA05A5061F372DA60DB69

Function 00D77886 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D75BC4: GetCurrentThreadId.KERNEL32 ref: 00D75BD3

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00D778EA

Strings

.dll, xrefs: 00D778A7

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CurrentHandleModuleThread
String ID: .dll
API String ID: 2752942033-2738580789
Opcode ID: b761d9c1cb3c7a30725debef508b5d3bc86527418c2588a003023fa7cba789ed
Instruction ID: 7ec53aff87be07824c705d192b07e7b842ad949eaf7ef7385c4614b6db2b1c9c
Opcode Fuzzy Hash: b761d9c1cb3c7a30725debef508b5d3bc86527418c2588a003023fa7cba789ed
Instruction Fuzzy Hash: 75F09A71204304AFCF109F64D989BAA3BA9FF08301F14C521FE098A05AE770CAA0DB73

Function 00D7A313 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00EC1214,?,?,-11745FEC,?,?,?,-11745FEC,?), ref: 00D7A3C5

Part of subcall function 00D7A2C5: IsBadWritePtr.KERNEL32(?,00000004), ref: 00D7A2D3

CreateFileA.KERNEL32(?,?,?,-11745FEC,?,?,?,-11745FEC,?), ref: 00D7A3E5

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: ad2f41a328852b8043ea8ed10688ed71c8726e90e589e14d253dbdb77d54baf3
Instruction ID: df0d1477562783bcbfa75a5192fb8dabd0c1c595c3e08b5ce23dff4253fd9356
Opcode Fuzzy Hash: ad2f41a328852b8043ea8ed10688ed71c8726e90e589e14d253dbdb77d54baf3
Instruction Fuzzy Hash: CB11263100414AFBCF229FD8DC05BAD3B22BF84344F08C015B949240B1E7B6C9A1EB72

Function 00D79C7F Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D75BC4: GetCurrentThreadId.KERNEL32 ref: 00D75BD3

GetCurrentProcess.KERNEL32(-11745FEC), ref: 00D79C8C
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D79CF2

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessThread
String ID:
API String ID: 3748180921-0
Opcode ID: 3104a66a534b8a770a29047b5c0d33f6aec4a1ab8938e498ba1954ea127532a5
Instruction ID: 25657e4d27de0e956f29d33c63eed0045db3bde8a7a69a9270bcd4d5b6434180
Opcode Fuzzy Hash: 3104a66a534b8a770a29047b5c0d33f6aec4a1ab8938e498ba1954ea127532a5
Instruction Fuzzy Hash: D7014B7310050ABB8F23AFA4DD49CAE7B75FF54340B048111FA4995014E772C162EB71

Function 00D782FE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00D783B3

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 179829c69af0d309a033b4a2f1f0608e082b97ce30b4247a0d543130370fdf16
Instruction ID: a8fa08d7a4f85bde1fb803ad5a1366392e06f8342778fe72bc660cc47eac1742
Opcode Fuzzy Hash: 179829c69af0d309a033b4a2f1f0608e082b97ce30b4247a0d543130370fdf16
Instruction Fuzzy Hash: 8D319C71940205FBDB209F64DC89F9EBBB9FB44724F20C229F508EA191EBB19951DB20

Function 00D77B1A Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00D77B9C

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fcfed67e339cb7760576d11f70c9264f30a5d90b80143aafda5749d590c755a
Instruction ID: eb3770ae4f910947315b9fa66c2d5402db8661f026ff7bb43caf711758bd225a
Opcode Fuzzy Hash: 0fcfed67e339cb7760576d11f70c9264f30a5d90b80143aafda5749d590c755a
Instruction Fuzzy Hash: C331D571640209BBEB209F64DC86F9977B8FB04724F248A29F618EA1D1E7B1A551CB24

Function 00D8057E Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00D8062B

Memory Dump Source

Source File: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: f9cb30ba63672e702b097887671a1b967906b21f487f22cd70f1cda563285eef
Instruction ID: 8218abc88df400adebc5d59cf73bf0c6b1554f027283869085166139edbad885
Opcode Fuzzy Hash: f9cb30ba63672e702b097887671a1b967906b21f487f22cd70f1cda563285eef
Instruction Fuzzy Hash: A311D372A022259FFBB06A048C4ABAE7F7CEF94710F188091E805A6040E7709DD88FB1

Function 04E00D41 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E00DCD

Memory Dump Source

Source File: 00000000.00000002.2000626623.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a9dec572219555be3883437680b14e0e08263055b9cfadf69cced40fc9f355eb
Instruction ID: 83418463602859c3ffc67754c23a3c9b6a890683d2f20335117daa144964783b
Opcode Fuzzy Hash: a9dec572219555be3883437680b14e0e08263055b9cfadf69cced40fc9f355eb
Instruction Fuzzy Hash: 032149B6C00219CFCB40DF99E885BDEFBF1FB88310F15812AD918AB285D734A545CBA4

Function 04E00D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E00DCD

Memory Dump Source

Source File: 00000000.00000002.2000626623.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: af89820498f189b12669f43b4801a8218ec2f4dce88d0381f5a8c5a8e4b8f460
Instruction ID: c22ba37f579d84fa8d962b945b3f569e7566380dc58b7a9f96f4dad3896fabbb
Opcode Fuzzy Hash: af89820498f189b12669f43b4801a8218ec2f4dce88d0381f5a8c5a8e4b8f460
Instruction Fuzzy Hash: E32147B6C002089FCB50CF99D884BDEFBF4EB88310F15811AD818AB244C734A544CBA4

Function 04E01510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04E01580

Memory Dump Source

Source File: 00000000.00000002.2000626623.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: f8aef4714ebf0e6eaf05ea1311c2ada515c01eabc173fc6269a1eb6c522939ab
Instruction ID: 9b135bda4dc3a2e78b8eab0ea58ef5b97a701d62f92ccdb7fad086a3c5a9bfab
Opcode Fuzzy Hash: f8aef4714ebf0e6eaf05ea1311c2ada515c01eabc173fc6269a1eb6c522939ab
Instruction Fuzzy Hash: A811E4B1D003499FDB10CF9AC985BDEFBF4EB48320F108029E559A7250D778A644CFA5

Function 04E01509 Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04E01580

Memory Dump Source

Source File: 00000000.00000002.2000626623.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 89c70181cea9582d2faa69a82a2c1c480417b650e725913b6369aa582b345b55
Instruction ID: 72bc69af9a1f09d3e15d6a4f3a0eb1f78abc93353b9cdbff163b4414da7781a2
Opcode Fuzzy Hash: 89c70181cea9582d2faa69a82a2c1c480417b650e725913b6369aa582b345b55
Instruction Fuzzy Hash: 6621E4B6D00249CFDB10CF9AD585BDEFBF4AB48320F108429D559A7290D778A684CFA5

Function 00D7AE4B Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D75BC4: GetCurrentThreadId.KERNEL32 ref: 00D75BD3

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11745FEC), ref: 00D7AED2

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CurrentFileThreadView
String ID:
API String ID: 1949693742-0
Opcode ID: 08bb722cef79e2a910b3607d4d6d0421ede6a3812fcf9f6de10367730e2b34ce
Instruction ID: e1f5083b4a2d50c6ca77b82aa503b449654df6a6208cae06538e097df29d7a80
Opcode Fuzzy Hash: 08bb722cef79e2a910b3607d4d6d0421ede6a3812fcf9f6de10367730e2b34ce
Instruction Fuzzy Hash: 3611BA3220020AEBCF12AFA8DD09D9F3F66EF84341B04C415FA5955425E776C9B2EB72

Function 00D7AC33 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 388e7a0cd12103f1d5b0c928d0715a512bc2c4f88ab3c5d3e70402b411e728ec
Instruction ID: 984a7e53ae4930695ddad1d9025f4940ba354511ae1d4a4c32f350336a8e3653
Opcode Fuzzy Hash: 388e7a0cd12103f1d5b0c928d0715a512bc2c4f88ab3c5d3e70402b411e728ec
Instruction Fuzzy Hash: B9118E3A00060AFBCF039F98C908A9E3B79FF84305F04C015F90956065E771CAA2EB72

Function 04E01301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04E01367

Memory Dump Source

Source File: 00000000.00000002.2000626623.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: aaf99cb0eb44c8ea4c60d6358eced4fb333d53a919d17841710f39a1d4819d6e
Instruction ID: 5c3875f14b3f7f54cb57c325ff3afb0e83c08b19c1335fa0bf9b6e5510228fc5
Opcode Fuzzy Hash: aaf99cb0eb44c8ea4c60d6358eced4fb333d53a919d17841710f39a1d4819d6e
Instruction Fuzzy Hash: 0B1158B1800249CFDB10CF9AC985BEEFBF4EF48320F108429D558A7280C738A544CFA5

Function 04E01308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04E01367

Memory Dump Source

Source File: 00000000.00000002.2000626623.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e00000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 7265690a27a153a3eb53c6cd8a5938a4027653a8fced042e4f83b7a56069b071
Instruction ID: 1d544d1ff08e6b0929ce70250e092ba427c38385649cbc1762e09e6e60f8681d
Opcode Fuzzy Hash: 7265690a27a153a3eb53c6cd8a5938a4027653a8fced042e4f83b7a56069b071
Instruction Fuzzy Hash: D51136B1800349CFDB10CF9AC845BEEFBF4EB48324F11841AD558A7290C778A584CFA5

Function 00D7A517 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D75BC4: GetCurrentThreadId.KERNEL32 ref: 00D75BD3

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11745FEC,?,?,00D78246,?,?,00000400,?,00000000,?,00000000), ref: 00D7A583

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CurrentFileReadThread
String ID:
API String ID: 2348311434-0
Opcode ID: 14fc4d96312409c00d11cd6b3e438ad4b47a22184ae310caa8d64ef17b4cf34c
Instruction ID: a597ffe11c1ed1b997e221eb6b26ad5955b4ec29a93f62d7b516fddd13899e43
Opcode Fuzzy Hash: 14fc4d96312409c00d11cd6b3e438ad4b47a22184ae310caa8d64ef17b4cf34c
Instruction Fuzzy Hash: F9F0193210050AEBCF129F98D809D9E3B36EF98340B048121F9494A024E772C9B1EB72

Function 00D75D95 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 00D75DF9

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: fb976021fbc09bdd931a213ddbd7cc5b691762cbb9b3888081fcab1dd21380b5
Instruction ID: 5af14743dff14ad421bda31c36631968dd770ef0f3eff943f54d5cb786a45f2a
Opcode Fuzzy Hash: fb976021fbc09bdd931a213ddbd7cc5b691762cbb9b3888081fcab1dd21380b5
Instruction Fuzzy Hash: C501E476A0050DBFCF219FA4DC08DDEBB76EF48381F049165F509A4164E7728A62DBB1

Function 00D801A8 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00D801A4,?,?,00D7FEAA,?,?,00D7FEAA,?,?,00D7FEAA), ref: 00D801C8

Memory Dump Source

Source File: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 37b61e1abd6082ee2fd90424812cd72c9055cd1b02c6e23cb151dddadb81b04f
Instruction ID: 80a3d01b6531339304257912bf8f40e543d992d79ed778e562b4cc44d0cbdefc
Opcode Fuzzy Hash: 37b61e1abd6082ee2fd90424812cd72c9055cd1b02c6e23cb151dddadb81b04f
Instruction Fuzzy Hash: 7FF0DCB1A00306EFD7649F08CC08B9DBFA5FF48321F108029F44AAB191D3B1A8D0CBA4

Function 00D78918 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00D75BC4: GetCurrentThreadId.KERNEL32 ref: 00D75BD3

CloseHandle.KERNELBASE(00D782DB,-11745FEC,?,?,00D782DB,?), ref: 00D78956

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CloseCurrentHandleThread
String ID:
API String ID: 3305057742-0
Opcode ID: 98d29e2242bfb356e925cbe6f281562e9e4275dd4948337ab43e8c2f506cf718
Instruction ID: 4537e1fbbb0fee6e8e4e87c7e7a6d407f40572df5ca50c945ecb260ba8aed609
Opcode Fuzzy Hash: 98d29e2242bfb356e925cbe6f281562e9e4275dd4948337ab43e8c2f506cf718
Instruction Fuzzy Hash: E5E04872640546B6CD117774D90DE5E2B68DF81745700C122F54E59049FBA0C156D673

Function 00B8ED70 Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00B8F170

Memory Dump Source

Source File: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e33ea0d7856e1912aad216fef5636d7fced2ddffb5a754dade82e37b09d7a734
Instruction ID: 44fc80ce7ec453a853ef123f57dda2d6e79b7246826a1a4c7dada8c3f24a7147
Opcode Fuzzy Hash: e33ea0d7856e1912aad216fef5636d7fced2ddffb5a754dade82e37b09d7a734
Instruction Fuzzy Hash: 2CE0C2B010CA05EFE7007F45C9C0ABEFBE5EF58714F11482DE5C592610D2715890DB16

Function 00B8E8E9 Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00B8F121

Memory Dump Source

Source File: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4d27f630bad7d84e4aa5cddd852d617e21cd38d4ff3a4590ba048326d954ae25
Instruction ID: 38ffe426b93056de33b5cdf81626dee10e93092fdbfea08573b87055779c14a8
Opcode Fuzzy Hash: 4d27f630bad7d84e4aa5cddd852d617e21cd38d4ff3a4590ba048326d954ae25
Instruction Fuzzy Hash: C2E0EC3011824ECFCB047FB480491AE77B0EF04311F110658E9A295990DB326CA0DB0A

Function 00D779DD Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00D75A63,?,?), ref: 00D779E3

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6f37e4fe41055bd4115640d6cb8140102e6ab35b9e3da9dc5d3d629a3b204246
Instruction ID: e9a46cc54b4fb362023ef355be0fb0f72b90baf1a0bf72811c9fbb9092f4576e
Opcode Fuzzy Hash: 6f37e4fe41055bd4115640d6cb8140102e6ab35b9e3da9dc5d3d629a3b204246
Instruction Fuzzy Hash: F8B09B3100410977CB01BF51DC05C4D7F65FF11395700C110F54955121A771D5609BA0

Non-executed Functions

Function 00D79D11 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D75BC4: GetCurrentThreadId.KERNEL32 ref: 00D75BD3

GetSystemTime.KERNEL32(?,-11745FEC), ref: 00D79D46
GetFileTime.KERNEL32(?,?,?,?,-11745FEC), ref: 00D79D89

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: Time$CurrentFileSystemThread
String ID:
API String ID: 2191017843-0
Opcode ID: 373e2fbed7b3fed6fc4cfe9421a9b870e38b2f5f130347d25735cd93a2e35aa6
Instruction ID: f0a3b14ab2a9513361d41338a2592f242a927e04dacf9411967a2ae1e2b8507a
Opcode Fuzzy Hash: 373e2fbed7b3fed6fc4cfe9421a9b870e38b2f5f130347d25735cd93a2e35aa6
Instruction Fuzzy Hash: C3012C32100945FBDB21AF29EC08E8EBF75FF81751B008122F44959064E772C4A1DB31

Function 00D7ABCF Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00D7AC16

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: be109a863a42b2dd75766463abf5ed30bdc46fb4246972b15e75b5630071b730
Instruction ID: e8495310f9d99bebf0a61b946977573a2cc9ddc893839f0de8a582f74cc891fd
Opcode Fuzzy Hash: be109a863a42b2dd75766463abf5ed30bdc46fb4246972b15e75b5630071b730
Instruction Fuzzy Hash: 1CF0F83660020AFFCF02CF98CA4498D7BB1FF45314B10C125FA159A611E376DAA1EF41

Function 00D1F450 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26892ef88ed10bf11e52d7ac1f1364987c7f20f7535c9edf3eb17786bfef2661
Instruction ID: 6008e9e1c5d6d5d2e1d88f8e25fed5c895c9aebf29554239eb4be460c313b191
Opcode Fuzzy Hash: 26892ef88ed10bf11e52d7ac1f1364987c7f20f7535c9edf3eb17786bfef2661
Instruction Fuzzy Hash: 1B41A5B251D3149FD305AF29DC8166AFBE8EF59650F060D2DE6C8D3341EA326841CB97

Function 00D1F449 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8619200514f8116caa45a9626df53e9ba3068ea5b07a68c3a1f7ab988e3d45
Instruction ID: 6004f304e325f580d025f6c17579d22d2fb0153b27364b37a1ebf9a66e0cb8b4
Opcode Fuzzy Hash: 8e8619200514f8116caa45a9626df53e9ba3068ea5b07a68c3a1f7ab988e3d45
Instruction Fuzzy Hash: EE4174B251C3149FD715AE29DC8167AFBE8EB58760F060D2DEAC5D3300EA3168408B97

Function 00D79247 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00D75BC4: GetCurrentThreadId.KERNEL32 ref: 00D75BD3

Part of subcall function 00D7A2C5: IsBadWritePtr.KERNEL32(?,00000004), ref: 00D7A2D3

wsprintfA.USER32 ref: 00D7928D
LoadImageA.USER32(?,?,?,?,?,?), ref: 00D79351

Strings

%8x, xrefs: 00D79288, 00D7928B
%8x, xrefs: 00D7931B, 00D7934E

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: CurrentImageLoadThreadWritewsprintf
String ID: %8x$%8x
API String ID: 439219941-2046107164
Opcode ID: 52bb34441eaf06d196a98e30f129338c1db0fb7fcb89e0f3c74522210a43dbcb
Instruction ID: 865dec043be095f6c992d85b41eab2b063883bb75bf87f616aff046906d78bc6
Opcode Fuzzy Hash: 52bb34441eaf06d196a98e30f129338c1db0fb7fcb89e0f3c74522210a43dbcb
Instruction Fuzzy Hash: 6C31157290010AFFCF119F94DC09EEEBB79FF84700F108126F515A61A0E7719A62DB60

Function 00D79E18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00EC1214,00004020,00000000,-11745FEC), ref: 00D79F05

Strings

@, xrefs: 00D79E44

Memory Dump Source

Source File: 00000000.00000002.1998492672.0000000000D6B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true

Associated: 00000000.00000002.1997835188.0000000000B80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997850527.0000000000B82000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997871498.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997890622.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1997911051.0000000000B96000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998033367.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998051365.0000000000D01000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998072892.0000000000D1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998089236.0000000000D1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998105092.0000000000D2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998141732.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998158907.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998176363.0000000000D3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998264211.0000000000D3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998280370.0000000000D3E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998296921.0000000000D44000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998438128.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998457307.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998475411.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998512849.0000000000D7C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998530666.0000000000D7F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998550107.0000000000D8C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998567268.0000000000D95000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998584849.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998601650.0000000000DA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998622648.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998641567.0000000000DB6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998658775.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998674227.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998689455.0000000000DC3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998705122.0000000000DC4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998722517.0000000000DC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998740059.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998755006.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998772020.0000000000DCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998787618.0000000000DCF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998804775.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998821038.0000000000DD3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998837180.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998857632.0000000000DE7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998873040.0000000000DE9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998891471.0000000000DF7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998906643.0000000000DF8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998934341.0000000000E27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998953856.0000000000E29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998973050.0000000000E32000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1998989939.0000000000E33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999006061.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999042102.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999058213.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b80000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 5828b06fac5dc1dd31cec63fe5659b4c013308449a05cfe67bc50ae94919bb57
Instruction ID: b891b0f3036c9d1632536627137af5f619fffa4ad4c9fe9e7cca93579d3876c7
Opcode Fuzzy Hash: 5828b06fac5dc1dd31cec63fe5659b4c013308449a05cfe67bc50ae94919bb57
Instruction Fuzzy Hash: 94316872504705EFDB25CF54C848B9EBBB4FF08310F148519F999A7250E3B1EAA5DBA0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7488, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7488, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 00D7FE05 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 00D1EE7B Relevance: 1.6, APIs: 1, Instructions: 101
libraryCOMMON

Function 00D77297 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 00D80831 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Function 00D7779D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 00D7A0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 00D2BD12 Relevance: 4.6, APIs: 3, Instructions: 76
registryCOMMON

Function 00D1ED4A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
libraryCOMMON

Function 00D76177 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 00D77886 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 00D7A313 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 00D79C7F Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 00D782FE Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON