Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1565423
MD5:	b339132a89d00baeb7ca4080af49e1e8
SHA1:	62160fe3b1ec51f214cb738c065ef40040de9cbe
SHA256:	5d38c8eea89b61fc0a7079bf280ad27430966ba25ae25176ae72c2b78a863009
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B339132A89D00BAEB7CA4080AF49E1E8)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01180AEA CryptVerifySignatureA,

0_2_01180AEA

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1417709920.0000000005460000.00000004.00001000.00020000.00000000.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB56A4	0_2_00FB56A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5700	0_2_00FB5700
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAD9F3	0_2_00FAD9F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5B37	0_2_00FB5B37
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5D32	0_2_00FB5D32

Source: file.exe, 00000000.00000002.1555696370.00000000018BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1397694708.0000000000FA6000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2799616 > 1048576

Source: file.exe

Static PE information: Raw size of ltedtzog is bigger than: 0x100000 < 0x2a5800

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.fa0000.0.unpack :EW;.rsrc:W;.idata :W;ltedtzog:EW;bxhrajpy:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2b0715 should be: 0x2aebdd

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: ltedtzog
Source: file.exe	Static PE information: section name: bxhrajpy
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAE3B1 push ebx; mov dword ptr [esp], 5A16C5CAh	0_2_00FAE8E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01122596 push ebp; mov dword ptr [esp], 52F7E487h	0_2_011225B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01122596 push ecx; mov dword ptr [esp], esi	0_2_01122607
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01122596 push 7BFFBCA0h; mov dword ptr [esp], edi	0_2_01122685
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011226BC push edx; mov dword ptr [esp], ebp	0_2_0112270A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011226BC push ecx; mov dword ptr [esp], 5B424A3Fh	0_2_01122722
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011226BC push 3DEAA066h; mov dword ptr [esp], ecx	0_2_0112279E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011226BC push edx; mov dword ptr [esp], ecx	0_2_011227C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F111 push 4A3E6C55h; mov dword ptr [esp], esi	0_2_0111F150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F111 push 1D8A8004h; mov dword ptr [esp], esp	0_2_0111F158
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01128111 push 5014574Eh; mov dword ptr [esp], ebx	0_2_01128180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0112310E push ecx; mov dword ptr [esp], esi	0_2_01123173
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F13F push 4A3E6C55h; mov dword ptr [esp], esi	0_2_0111F150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F13F push 1D8A8004h; mov dword ptr [esp], esp	0_2_0111F158
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0112512C push edi; mov dword ptr [esp], esi	0_2_011255B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB20B5 push edx; mov dword ptr [esp], 0FBDCB39h	0_2_00FB20C6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01125172 push esi; mov dword ptr [esp], ecx	0_2_011257F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5088 push ebx; mov dword ptr [esp], edx	0_2_00FB50A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAD072 push 5DAB6F11h; mov dword ptr [esp], edi	0_2_00FAD077
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0113518C push ecx; mov dword ptr [esp], 0A8A1049h	0_2_011356CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011C21B8 push 0CB4FA64h; mov dword ptr [esp], ecx	0_2_011C220A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAF053 push ebp; mov dword ptr [esp], edi	0_2_00FAF084
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011331BD push 61605098h; mov dword ptr [esp], eax	0_2_011331D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011331A6 push 1A623AFCh; mov dword ptr [esp], ebp	0_2_011334DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5039 push 7E7EDCD4h; mov dword ptr [esp], ecx	0_2_00FB5047
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011351D8 push eax; mov dword ptr [esp], edx	0_2_01135771
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB2018 push ecx; mov dword ptr [esp], eax	0_2_00FB2026
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAD01F push ebp; mov dword ptr [esp], edx	0_2_00FAD02B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB1001 push edx; mov dword ptr [esp], ebp	0_2_00FB1002
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB1001 push 63466109h; mov dword ptr [esp], eax	0_2_00FB101B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB51F4 push ecx; mov dword ptr [esp], esi	0_2_00FB51FB

Source: file.exe

Static PE information: section name: entropy: 7.78628534462141

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FADAA9 second address: FADAAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FADAAE second address: FADABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123392 second address: 1123398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123398 second address: 11233B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FAA94F752C5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11233B2 second address: 1123409 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A03Eh 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jl 00007FAA9521A036h 0x00000010 jnl 00007FAA9521A036h 0x00000016 jmp 00007FAA9521A047h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FAA9521A048h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1123409 second address: 112340F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1117FCF second address: 1117FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11226DC second address: 11226E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11226E2 second address: 11226E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1122862 second address: 112288A instructions: 0x00000000 rdtsc 0x00000002 je 00007FAA94F752BCh 0x00000008 jp 00007FAA94F752B6h 0x0000000e jbe 00007FAA94F752C2h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112288A second address: 1122893 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1122B30 second address: 1122B35 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1122B35 second address: 1122B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FAA9521A040h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124684 second address: 11246D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b add dword ptr [ebp+122D20D1h], esi 0x00000011 popad 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FAA94F752B8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e pushad 0x0000002f mov eax, 1A6B06B5h 0x00000034 stc 0x00000035 popad 0x00000036 mov dh, 26h 0x00000038 push C9F04C3Bh 0x0000003d push ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 pop esi 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11246D5 second address: 11246D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124760 second address: 1124765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11248DD second address: 11248E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11248E1 second address: 1124906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAA94F752C7h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124906 second address: 112490B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112490B second address: 1124981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007FAA94F752B6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jp 00007FAA94F752C4h 0x00000016 pop eax 0x00000017 push eax 0x00000018 movsx edx, di 0x0000001b pop edx 0x0000001c push 00000003h 0x0000001e mov esi, dword ptr [ebp+122D1C81h] 0x00000024 push 00000000h 0x00000026 mov edx, dword ptr [ebp+122D20C5h] 0x0000002c jne 00007FAA94F752BCh 0x00000032 push 00000003h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FAA94F752B8h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e or dword ptr [ebp+122D1FCFh], edi 0x00000054 push BD1A3915h 0x00000059 push eax 0x0000005a push edx 0x0000005b push ebx 0x0000005c pushad 0x0000005d popad 0x0000005e pop ebx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124981 second address: 11249F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FAA9521A036h 0x00000009 jmp 00007FAA9521A03Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [esp], 7D1A3915h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FAA9521A038h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 jmp 00007FAA9521A043h 0x00000037 sub dword ptr [ebp+122D20CBh], eax 0x0000003d lea ebx, dword ptr [ebp+1244A570h] 0x00000043 mov dword ptr [ebp+122D1F45h], ecx 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FAA9521A03Ch 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11249F3 second address: 11249F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124A6C second address: 1124A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124A72 second address: 1124B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 add dword ptr [esp], 1FCC0A2Ch 0x0000000d xor dx, 45EDh 0x00000012 push 00000003h 0x00000014 mov ecx, 0586557Fh 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007FAA94F752B8h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 mov esi, dword ptr [ebp+122D2CB1h] 0x0000003b mov dword ptr [ebp+122D350Eh], ecx 0x00000041 push 00000003h 0x00000043 push 00000000h 0x00000045 push ebp 0x00000046 call 00007FAA94F752B8h 0x0000004b pop ebp 0x0000004c mov dword ptr [esp+04h], ebp 0x00000050 add dword ptr [esp+04h], 0000001Dh 0x00000058 inc ebp 0x00000059 push ebp 0x0000005a ret 0x0000005b pop ebp 0x0000005c ret 0x0000005d call 00007FAA94F752B9h 0x00000062 jno 00007FAA94F752C0h 0x00000068 push eax 0x00000069 jmp 00007FAA94F752BDh 0x0000006e mov eax, dword ptr [esp+04h] 0x00000072 push eax 0x00000073 push edx 0x00000074 pushad 0x00000075 je 00007FAA94F752B6h 0x0000007b jmp 00007FAA94F752C2h 0x00000080 popad 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124B23 second address: 1124B28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1124B28 second address: 1124BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push edi 0x0000000c jmp 00007FAA94F752BBh 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 js 00007FAA94F752CBh 0x0000001d jmp 00007FAA94F752C5h 0x00000022 pop eax 0x00000023 pop eax 0x00000024 mov dword ptr [ebp+12445490h], edx 0x0000002a lea ebx, dword ptr [ebp+1244A57Bh] 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FAA94F752B8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov edi, ecx 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FAA94F752C3h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145169 second address: 114516F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114516F second address: 114517C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114517C second address: 1145180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145180 second address: 11451A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FAA94F752C1h 0x0000000c jp 00007FAA94F752B6h 0x00000012 pop ebx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11452ED second address: 1145306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A043h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145306 second address: 1145313 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145313 second address: 1145332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A048h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145332 second address: 1145338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145338 second address: 114535B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007FAA9521A04Bh 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FAA9521A043h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11455DC second address: 11455EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BAh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114571F second address: 1145737 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAA9521A036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145B2B second address: 1145B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145C8B second address: 1145C91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145DE9 second address: 1145DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145DEF second address: 1145DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FAA9521A03Eh 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1145DFE second address: 1145E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113AFB5 second address: 113AFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FAA9521A03Ch 0x0000000a ja 00007FAA9521A036h 0x00000010 push esi 0x00000011 jc 00007FAA9521A036h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1146AC9 second address: 1146AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752BDh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FAA94F752C4h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D176 second address: 114D199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FAA9521A049h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D199 second address: 114D19F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D19F second address: 114D1B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAA9521A03Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D1B0 second address: 114D1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D1B8 second address: 114D1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114D1C0 second address: 114D1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAA94F752B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114F775 second address: 114F77E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114F77E second address: 114F7B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop esi 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 jl 00007FAA94F752B8h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FAA94F752C5h 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114F7B5 second address: 114F7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E039 second address: 114E048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114E048 second address: 114E04D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11543CE second address: 11543D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11538A8 second address: 11538AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1153C68 second address: 1153CA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007FAA94F752C2h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007FAA94F752B6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1153CA1 second address: 1153CA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1153CA7 second address: 1153CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11540E8 second address: 11540F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11540F2 second address: 11540F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11540F6 second address: 11540FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11540FC second address: 1154103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1154103 second address: 1154109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1154238 second address: 1154251 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BFh 0x00000007 ja 00007FAA94F752B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1156314 second address: 115631F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAA9521A036h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115631F second address: 11563BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007FAA94F752C2h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007FAA94F752C8h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e push edx 0x0000001f jmp 00007FAA94F752C5h 0x00000024 pop edx 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 je 00007FAA94F752BAh 0x0000002e push ebx 0x0000002f push edi 0x00000030 pop edi 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 jp 00007FAA94F752CEh 0x0000003c pop eax 0x0000003d jo 00007FAA94F752B9h 0x00000043 movzx edi, di 0x00000046 push 9F49B17Bh 0x0000004b pushad 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11563BA second address: 11563C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1156F4E second address: 1156F81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAA94F752C3h 0x00000008 jnl 00007FAA94F752B6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], ebx 0x00000014 sbb edi, 62610F87h 0x0000001a push eax 0x0000001b ja 00007FAA94F752D0h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1156F81 second address: 1156F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115734E second address: 115735F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FAA94F752B8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115735F second address: 1157364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157471 second address: 1157475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1157A46 second address: 1157A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11583B3 second address: 115841E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAA94F752BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FAA94F752CEh 0x00000011 pushad 0x00000012 jmp 00007FAA94F752C4h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b sub dword ptr [ebp+122D1E88h], esi 0x00000021 mov dword ptr [ebp+12464F59h], esi 0x00000027 push 00000000h 0x00000029 mov edi, 1C3F066Bh 0x0000002e push 00000000h 0x00000030 call 00007FAA94F752C8h 0x00000035 ja 00007FAA94F752B7h 0x0000003b pop edi 0x0000003c xchg eax, ebx 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1158263 second address: 115826C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159E64 second address: 1159E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jno 00007FAA94F752B6h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1158C33 second address: 1158C3D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAA9521A03Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115A839 second address: 115A89F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and esi, dword ptr [ebp+122D1D87h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FAA94F752B8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e jne 00007FAA94F752BCh 0x00000034 or dword ptr [ebp+122D2E47h], eax 0x0000003a push 00000000h 0x0000003c pushad 0x0000003d mov ebx, dword ptr [ebp+122D2BF5h] 0x00000043 or eax, dword ptr [ebp+122D2A8Dh] 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e pop edx 0x0000004f pop eax 0x00000050 push ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B1DF second address: 115B1E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B1E3 second address: 115B1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B1E9 second address: 115B21A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov di, B2E2h 0x0000000f mov dword ptr [ebp+122D39B4h], edi 0x00000015 push 00000000h 0x00000017 jnl 00007FAA9521A03Bh 0x0000001d mov edi, 506513B7h 0x00000022 push 00000000h 0x00000024 xor dword ptr [ebp+122D1D82h], ecx 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e pushad 0x0000002f popad 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115B21A second address: 115B220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BD5A second address: 115BD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115BA2E second address: 115BA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115C459 second address: 115C45D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115CEF1 second address: 115CF19 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAA94F752CEh 0x00000008 jmp 00007FAA94F752C8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115C45D second address: 115C463 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115CF19 second address: 115CF1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110C25E second address: 110C278 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A041h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115C463 second address: 115C468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110C278 second address: 110C27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 110C27E second address: 110C283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115F7FA second address: 115F804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FAA9521A036h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115F804 second address: 115F86F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FAA94F752B8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D3683h], ecx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FAA94F752B8h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000017h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e mov edi, edx 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FAA94F752C0h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160AAD second address: 1160AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162AF3 second address: 1162B01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160AB1 second address: 1160AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162B01 second address: 1162B18 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAA94F752BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161CEE second address: 1161CF8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAA9521A036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162B18 second address: 1162B22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAA94F752B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161CF8 second address: 1161CFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162B22 second address: 1162B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161CFE second address: 1161D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162B26 second address: 1162B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FAA94F752B8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov dword ptr [ebp+12471552h], ebx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007FAA94F752B8h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 mov ebx, dword ptr [ebp+122D3536h] 0x0000004b mov bx, si 0x0000004e push 00000000h 0x00000050 xchg eax, esi 0x00000051 pushad 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 jmp 00007FAA94F752BBh 0x0000005a popad 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162B92 second address: 1162BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162BA1 second address: 1162BA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163B5B second address: 1163B65 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAA9521A036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163B65 second address: 1163B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163B6B second address: 1163B8B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAA9521A036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAA9521A040h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1163DFD second address: 1163E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11199DE second address: 1119A13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FAA9521A042h 0x0000000c jp 00007FAA9521A036h 0x00000012 jo 00007FAA9521A036h 0x00000018 pushad 0x00000019 jmp 00007FAA9521A048h 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116710C second address: 116718B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007FAA94F752BDh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FAA94F752B8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D3520h], esi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FAA94F752B8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov edi, dword ptr [ebp+122D2D29h] 0x00000055 push eax 0x00000056 pushad 0x00000057 jnp 00007FAA94F752BCh 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116718B second address: 116718F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116817B second address: 1168192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA94F752C3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168192 second address: 11681A9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAA9521A036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FAA9521A036h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11681A9 second address: 11681AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11681AF second address: 11681B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168394 second address: 11683A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 jl 00007FAA94F752B6h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C1D0 second address: 116C1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116D2BA second address: 116D2C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116D2C0 second address: 116D2C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116D2C4 second address: 116D2C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116D2C8 second address: 116D312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FAA9521A038h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov edi, 30987676h 0x0000002c push 00000000h 0x0000002e cld 0x0000002f xor ebx, dword ptr [ebp+122D36A0h] 0x00000035 xchg eax, esi 0x00000036 jne 00007FAA9521A03Ah 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116D312 second address: 116D317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A4CA second address: 116A4D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116A4D0 second address: 116A4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116F547 second address: 116F572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAA9521A03Dh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jmp 00007FAA9521A03Fh 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1171C1A second address: 1171C1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C401 second address: 116C405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116C405 second address: 116C409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116D4A9 second address: 116D4AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116D4AF second address: 116D4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116D595 second address: 116D5C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A049h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAA9521A03Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179E8F second address: 1179EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a jmp 00007FAA94F752C3h 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117A020 second address: 117A024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117A024 second address: 117A04A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752C3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FAA94F752BDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11855A3 second address: 11855A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11855A7 second address: 11855B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jp 00007FAA94F752B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11855B9 second address: 11855BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118A32E second address: 118A333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3F6 second address: 118D3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D3FC second address: 118D400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118D400 second address: 118D413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push esi 0x0000000a push ebx 0x0000000b jnl 00007FAA9521A036h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118F1CA second address: 118F1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118F1D5 second address: 118F1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1193388 second address: 11933AA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAA94F752B6h 0x00000008 jmp 00007FAA94F752BFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11933AA second address: 11933C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAA9521A036h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jng 00007FAA9521A036h 0x00000012 popad 0x00000013 jns 00007FAA9521A038h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119397F second address: 1193991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007FAA94F752CEh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1193AEC second address: 1193AFC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAA9521A036h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1193AFC second address: 1193B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1193B00 second address: 1193B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1193B04 second address: 1193B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jp 00007FAA94F752B6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007FAA94F752B6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1193E23 second address: 1193E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1193E28 second address: 1193E48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAA94F752C5h 0x00000008 jnc 00007FAA94F752B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194117 second address: 1194134 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FAA9521A038h 0x0000000c popad 0x0000000d jl 00007FAA9521A052h 0x00000013 jg 00007FAA9521A03Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194134 second address: 119413E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119413E second address: 1194142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11943D8 second address: 11943EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752C1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11943EF second address: 11943F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11943F4 second address: 11943F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1194578 second address: 119457C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119457C second address: 1194582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1199079 second address: 1199081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1154B7E second address: 1154B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FAA94F752B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1154B88 second address: 1154B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1154B8C second address: 1154BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007FAA94F752C2h 0x0000000f jne 00007FAA94F752BCh 0x00000015 nop 0x00000016 mov edi, dword ptr [ebp+122D2CB5h] 0x0000001c lea eax, dword ptr [ebp+1247A949h] 0x00000022 mov edx, dword ptr [ebp+122D2509h] 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b jnl 00007FAA94F752BCh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1154BC9 second address: 113AFCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAA9521A047h 0x00000008 jnc 00007FAA9521A036h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jno 00007FAA9521A03Ch 0x00000018 nop 0x00000019 clc 0x0000001a add ecx, dword ptr [ebp+122D1E25h] 0x00000020 call dword ptr [ebp+1244AF77h] 0x00000026 jmp 00007FAA9521A040h 0x0000002b pushad 0x0000002c jbe 00007FAA9521A03Ch 0x00000032 jo 00007FAA9521A03Ch 0x00000038 ja 00007FAA9521A036h 0x0000003e push esi 0x0000003f jc 00007FAA9521A036h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11551CA second address: 11551D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FAA94F752B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11551D5 second address: 1155229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FAA9521A038h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jbe 00007FAA9521A041h 0x00000028 jmp 00007FAA9521A03Bh 0x0000002d call 00007FAA9521A039h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 jmp 00007FAA9521A03Fh 0x0000003a pop eax 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155229 second address: 115523F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAA94F752B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115523F second address: 1155243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115530D second address: 1155311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11553BA second address: 11553CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jne 00007FAA9521A040h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115553F second address: 1155544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115560F second address: 1155656 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A041h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jno 00007FAA9521A036h 0x00000014 popad 0x00000015 jno 00007FAA9521A038h 0x0000001b popad 0x0000001c nop 0x0000001d and cx, E1E0h 0x00000022 push 00000004h 0x00000024 push edx 0x00000025 mov cx, 78DEh 0x00000029 pop ecx 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FAA9521A03Ch 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155EAB second address: 1155EC5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAA94F752BCh 0x00000008 jne 00007FAA94F752B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FAA94F752BCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155EC5 second address: 1155F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007FAA9521A038h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 0000001Bh 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 cld 0x00000021 lea eax, dword ptr [ebp+1247A98Dh] 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007FAA9521A038h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 push ecx 0x00000042 mov dword ptr [ebp+12452503h], ebx 0x00000048 pop edx 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FAA9521A043h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155F31 second address: 1155F4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAA94F752C9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1198359 second address: 11983A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A040h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FAA9521A094h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAA9521A047h 0x00000016 jmp 00007FAA9521A047h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11983A3 second address: 11983A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11983A7 second address: 11983C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA9521A046h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11983C7 second address: 11983CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119890C second address: 1198920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA9521A03Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A13BF second address: 11A13C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A13C3 second address: 11A13C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A13C9 second address: 11A13F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007FAA94F752B6h 0x00000009 pop ecx 0x0000000a jmp 00007FAA94F752BBh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 jng 00007FAA94F752B8h 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 jne 00007FAA94F752B6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A155F second address: 11A1575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 jmp 00007FAA9521A03Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1575 second address: 11A159B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FAA94F752C5h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jnp 00007FAA94F752B6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A159B second address: 11A15A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A184B second address: 11A1867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA94F752C2h 0x00000009 jl 00007FAA94F752B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1867 second address: 11A186D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A19CE second address: 11A19D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAA94F752B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1D01 second address: 11A1D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1D07 second address: 11A1D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1E29 second address: 11A1E49 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAA9521A041h 0x0000000c jo 00007FAA9521A036h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A84B9 second address: 11A84BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A84BD second address: 11A84C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A84C1 second address: 11A84C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A84C7 second address: 11A84D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A84D5 second address: 11A84EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752C3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A6EAB second address: 11A6EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A71FD second address: 11A7201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A736B second address: 11A7377 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAA9521A03Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A765E second address: 11A766D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA94F752BBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A766D second address: 11A76AA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAA9521A036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FAA9521A046h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FAA9521A047h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7A67 second address: 11A7A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7A6D second address: 11A7A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8329 second address: 11A8330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B15BB second address: 11B15CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAA9521A036h 0x0000000a popad 0x0000000b push ecx 0x0000000c jns 00007FAA9521A036h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B15CF second address: 11B15D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B15D4 second address: 11B15DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FAA9521A036h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B171E second address: 11B1722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B1722 second address: 11B175D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAA9521A036h 0x00000008 jbe 00007FAA9521A036h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FAA9521A041h 0x00000016 jmp 00007FAA9521A042h 0x0000001b jnc 00007FAA9521A036h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B175D second address: 11B177B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA94F752C8h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B177B second address: 11B177F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B177F second address: 11B17BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752C3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FAA94F752C7h 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B17BA second address: 11B17BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4397 second address: 11B439B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B439B second address: 11B43AB instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAA9521A036h 0x00000008 jne 00007FAA9521A036h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B43AB second address: 11B43C0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAA94F752BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B43C0 second address: 11B43C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B43C6 second address: 11B43E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAA94F752B6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007FAA94F752C2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B40BB second address: 11B40C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB200 second address: 11BB22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FAA94F752B6h 0x0000000a pop eax 0x0000000b push esi 0x0000000c ja 00007FAA94F752B6h 0x00000012 jmp 00007FAA94F752BAh 0x00000017 pop esi 0x00000018 pushad 0x00000019 jmp 00007FAA94F752BAh 0x0000001e push eax 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB22C second address: 11BB236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB236 second address: 11BB24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FAA94F752BDh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB24E second address: 11BB276 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A048h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FAA9521A036h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB276 second address: 11BB27F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BB27F second address: 11BB287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9A44 second address: 11B9A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jmp 00007FAA94F752BAh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop ecx 0x00000014 jbe 00007FAA94F752C6h 0x0000001a jmp 00007FAA94F752BEh 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9A73 second address: 11B9A86 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAA9521A03Eh 0x00000008 jnc 00007FAA9521A036h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9A86 second address: 11B9A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9E85 second address: 11B9EA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA9521A042h 0x00000009 popad 0x0000000a push edx 0x0000000b js 00007FAA9521A036h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9EA4 second address: 11B9EBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FAA94F752BEh 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BA066 second address: 11BA073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BA073 second address: 11BA07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAA94F752B6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BA254 second address: 11BA259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BA259 second address: 11BA269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA94F752BAh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BA269 second address: 11BA278 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A03Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115581B second address: 1155836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752C6h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155836 second address: 1155850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA9521A046h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155850 second address: 11558A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FAA94F752B8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov edx, esi 0x00000027 add dword ptr [ebp+122D20E0h], edx 0x0000002d mov ebx, dword ptr [ebp+1247A988h] 0x00000033 jmp 00007FAA94F752BEh 0x00000038 add eax, ebx 0x0000003a mov dx, B93Bh 0x0000003e nop 0x0000003f pushad 0x00000040 push edi 0x00000041 pushad 0x00000042 popad 0x00000043 pop edi 0x00000044 push eax 0x00000045 push edx 0x00000046 jc 00007FAA94F752B6h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11558A9 second address: 11558CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jmp 00007FAA9521A046h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11558CB second address: 11558D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FAA94F752B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11558D6 second address: 115593B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D2C65h] 0x0000000e push 00000004h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FAA9521A038h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push eax 0x0000002b movsx ecx, si 0x0000002e pop edi 0x0000002f jmp 00007FAA9521A048h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FAA9521A03Eh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115593B second address: 115593F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115593F second address: 1155945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1155945 second address: 115594B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115594B second address: 115594F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BA423 second address: 11BA454 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAA94F752BAh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007FAA94F752C0h 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 jmp 00007FAA94F752BDh 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BA454 second address: 11BA46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA9521A03Eh 0x00000009 jl 00007FAA9521A036h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BA5D3 second address: 11BA5DD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAA94F752B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE940 second address: 11BE946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BED6C second address: 11BED8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAA94F752C8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BEF1D second address: 11BEF24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BF093 second address: 11BF0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FAA94F752BFh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAA94F752C4h 0x00000011 jnc 00007FAA94F752B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 111D08C second address: 111D094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C225D second address: 11C2261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C2261 second address: 11C2267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CBA9A second address: 11CBA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CBA9E second address: 11CBAAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnp 00007FAA9521A036h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CBAAB second address: 11CBAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C9B4E second address: 11C9B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C9B52 second address: 11C9B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C9B58 second address: 11C9B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CA07F second address: 11CA0BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 ja 00007FAA94F752B6h 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FAA94F752C1h 0x0000001c jmp 00007FAA94F752C7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CA3A5 second address: 11CA3A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CA3A9 second address: 11CA3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FAA94F752C0h 0x0000000e jmp 00007FAA94F752BAh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 jmp 00007FAA94F752BFh 0x0000001e push esi 0x0000001f pop esi 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jp 00007FAA94F752B6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CA3E1 second address: 11CA3E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CA3E5 second address: 11CA3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CA70B second address: 11CA73F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAA9521A048h 0x00000008 jmp 00007FAA9521A047h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CA73F second address: 11CA74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jo 00007FAA94F752C2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CA74E second address: 11CA754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CB1F5 second address: 11CB209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752BFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CB209 second address: 11CB221 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAA9521A03Ch 0x00000008 jng 00007FAA9521A03Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D07C2 second address: 11D07C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D07C6 second address: 11D07DE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAA9521A036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FAA9521A042h 0x00000010 ja 00007FAA9521A036h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D49EB second address: 11D49F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D49F1 second address: 11D49F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D3C68 second address: 11D3C80 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAA94F752B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FAA94F752BEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D3C80 second address: 11D3C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FAA9521A036h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D4084 second address: 11D408C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D408C second address: 11D40BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007FAA9521A046h 0x0000000d jmp 00007FAA9521A03Ah 0x00000012 jl 00007FAA9521A036h 0x00000018 pushad 0x00000019 push ebx 0x0000001a pushad 0x0000001b popad 0x0000001c pop ebx 0x0000001d pushad 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 jo 00007FAA9521A036h 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D4538 second address: 11D4542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAA94F752B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D4542 second address: 11D4576 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FAA9521A049h 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f jnl 00007FAA9521A03Eh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBCAE second address: 11DBCB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBE53 second address: 11DBE58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBE58 second address: 11DBE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBE5E second address: 11DBE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jno 00007FAA9521A036h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBE73 second address: 11DBE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBE79 second address: 11DBE83 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAA9521A036h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBE83 second address: 11DBE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBE8C second address: 11DBE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DBE93 second address: 11DBEAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAA94F752C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DC48B second address: 11DC4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA9521A045h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD1A5 second address: 11DD1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAA94F752C0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DD1BB second address: 11DD1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FAA9521A036h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007FAA9521A046h 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007FAA9521A036h 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DDBB6 second address: 11DDBBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DDBBE second address: 11DDBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6B69 second address: 11E6B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6B6D second address: 11E6B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6B71 second address: 11E6B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6B7D second address: 11E6BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A03Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAA9521A047h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6BA5 second address: 11E6BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E6BB0 second address: 11E6BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F403E second address: 11F4048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAA94F752B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F4048 second address: 11F404E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F404E second address: 11F4062 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jl 00007FAA94F752B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007FAA94F752C2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F3C59 second address: 11F3C63 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAA9521A036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F3C63 second address: 11F3C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FAA94F752B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F3C6D second address: 11F3C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE135 second address: 11FE14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752C1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE14F second address: 11FE153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE153 second address: 11FE157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE157 second address: 11FE163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE163 second address: 11FE169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE169 second address: 11FE16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE16D second address: 11FE1C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BEh 0x00000007 jmp 00007FAA94F752C8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jng 00007FAA94F752B6h 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FAA94F752C9h 0x00000021 push eax 0x00000022 pop eax 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120312C second address: 1203144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA9521A040h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1203144 second address: 120314A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206C72 second address: 1206C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206C76 second address: 1206C9C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAA94F752B6h 0x00000008 jmp 00007FAA94F752C9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1206C9C second address: 1206CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FAA9521A03Eh 0x0000000f jmp 00007FAA9521A045h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EE80 second address: 120EE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EE86 second address: 120EE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EE8F second address: 120EE93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EE93 second address: 120EEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAA9521A041h 0x0000000f jmp 00007FAA9521A048h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EEC6 second address: 120EECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EECA second address: 120EED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FAA9521A042h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EED8 second address: 120EEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAA94F752B6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAA94F752C4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EEF9 second address: 120EF02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EF02 second address: 120EF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752C6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D6F9 second address: 120D706 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007FAA9521A036h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D706 second address: 120D70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120D9C8 second address: 120D9E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A044h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120DC87 second address: 120DC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120DC8B second address: 120DC91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120DC91 second address: 120DCB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FAA94F752B6h 0x0000000d jmp 00007FAA94F752C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120DCB6 second address: 120DCBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120DCBC second address: 120DCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120DE1E second address: 120DE25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120DE25 second address: 120DE3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA94F752BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FAA94F752B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EB3D second address: 120EB41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EB41 second address: 120EB54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jnp 00007FAA94F752CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EB54 second address: 120EB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120EB58 second address: 120EB5E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212A34 second address: 1212A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA9521A03Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121C8EC second address: 121C8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121EEFB second address: 121EF1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A045h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FAA9521A036h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121EF1E second address: 121EF24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122A8E8 second address: 122A8F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122A8F3 second address: 122A906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAA94F752B6h 0x0000000a pushad 0x0000000b popad 0x0000000c jbe 00007FAA94F752B6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123172E second address: 123173D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A03Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123173D second address: 123175A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA94F752C9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123175A second address: 123175E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12312CF second address: 12312D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12312D3 second address: 12312D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12312D7 second address: 12312E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752BAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12388FF second address: 1238905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1238905 second address: 1238910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1238910 second address: 1238925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA9521A041h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1238925 second address: 1238929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1237BB8 second address: 1237BE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A044h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jg 00007FAA9521A036h 0x00000012 js 00007FAA9521A036h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1237BE0 second address: 1237BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FAA94F752B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1237BEA second address: 1237C07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAA9521A046h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1237D79 second address: 1237D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jnp 00007FAA94F752B6h 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FAA94F752C4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1238092 second address: 12380A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FAA9521A036h 0x00000011 jng 00007FAA9521A036h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12380A9 second address: 12380AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12380AD second address: 12380B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1238260 second address: 123826A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAA94F752B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1238626 second address: 123863E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAA9521A044h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1242BFC second address: 1242C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752C0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1242C16 second address: 1242C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123CF71 second address: 123CF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAA94F752BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115921C second address: 115922F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007FAA9521A036h 0x00000012 popad 0x00000013 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FADB34 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1154D13 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 57D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 77D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_011247CF rdtsc

0_2_011247CF

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7856

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_011247CF rdtsc

0_2_011247CF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAB7C6 LdrInitializeThunk,

0_2_00FAB7C6

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: , Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1565423
Start date and time:	2024-11-29 19:49:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.500777239175924
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'799'616 bytes
MD5:	b339132a89d00baeb7ca4080af49e1e8
SHA1:	62160fe3b1ec51f214cb738c065ef40040de9cbe
SHA256:	5d38c8eea89b61fc0a7079bf280ad27430966ba25ae25176ae72c2b78a863009
SHA512:	fa041d814b62e8ca6a9da3023af3a54f587f75e3212b21cd0b6e4a6df59587bea0e528d2a075d6ed2b2695ef98583fe40259453ac2d25ac167c9a920e552d5a0
SSDEEP:	49152:FJ2K3bA2539U9oT/tag5EduOohp1ucH9SPtYt6BcQw:FJ2K3bA2539ioT/tag2dgmFYxl
TLSH:	A8D53B92B40971CFD48E2774A62BCD82595D03F94B2808C39D69F5BABE73CC526B5C38
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... +.. ...`....@.. .......................`+.......+...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6b2000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FAA950E78EAh
setbe byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+00000080h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi-80h], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jno 00007FAA950E78E6h
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lahf
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	078a5ee8d0d0c7b3607d55236bfbb41c	False	0.9338107638888888	data	7.78628534462141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ltedtzog	0xa000	0x2a6000	0x2a5800	31d5502f504d8d6a5ec60e0ec705eb9f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bxhrajpy	0x2b0000	0x2000	0x400	075039460c3eb740c0e26c1cb13a7d14	False	0.822265625	data	6.303930273107793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2b2000	0x4000	0x2200	1dc23613acbad380fac11a470cfe17cf	False	0.07146139705882353	DOS executable (COM)	0.8071442689631655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	13:50:03
Start date:	29/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xfa0000
File size:	2'799'616 bytes
MD5 hash:	B339132A89D00BAEB7CA4080AF49E1E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	11.3%
Signature Coverage:	3.7%
Total number of Nodes:	80
Total number of Limit Nodes:	4

Executed Functions

Function 011247CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 01124839

Strings

C, xrefs: 01124C51

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: 8d827e90b817bde0409f839e7fc69c6fb8d1c7efa88159b2fcd9b81e5fd46c71
Instruction ID: 25a7e2e27e54275a44ae06f350da927c960eb04dfc27a184ad01a2ef3fe7d086
Opcode Fuzzy Hash: 8d827e90b817bde0409f839e7fc69c6fb8d1c7efa88159b2fcd9b81e5fd46c71
Instruction Fuzzy Hash: 9C3148B710C16A6FD70ECFB895544FE7BA9EB86630B304526E502CBD02D3A60E788761

Function 00FAB7C6 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

!!iH, xrefs: 00FAB936

Memory Dump Source

Source File: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID:
String ID: !!iH
API String ID: 0-3430752988
Opcode ID: c3b0c12dcd118589c3805563a7bbf584b9a9810fdb23dc695a8c8c525be13229
Instruction ID: ce5639a43759f9d12ba1571f73f3cc08cca9366f78fa15e30aa989d398cf67b0
Opcode Fuzzy Hash: c3b0c12dcd118589c3805563a7bbf584b9a9810fdb23dc695a8c8c525be13229
Instruction Fuzzy Hash: D2E0C2B25188C99ADB169F748C0179B371DEB47700FA00128FA019AE4BCB7D5D12E795

Function 01180012 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(018F18D4,-11325FEC), ref: 0118008B
GetFileAttributesA.KERNEL32(00000000,-11325FEC), ref: 01180099

Strings

@, xrefs: 0118003E

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 90ce32b3723506242255d1cb68b30271fb7bfeb039389484720b4d197499f74d
Instruction ID: 8afe93d266746ff42982f6ae54be841d3dfcce955408459de4fee5ed4c34a873
Opcode Fuzzy Hash: 90ce32b3723506242255d1cb68b30271fb7bfeb039389484720b4d197499f74d
Instruction Fuzzy Hash: F2016D7150420AFAEF3EBF68C9087AD7E71BF143C9F118125F506691A0C3B29ADADE45

Function 011335E1 Relevance: 4.6, APIs: 3, Instructions: 60
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0113362E
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 01133655
GetNativeSystemInfo.KERNELBASE(?), ref: 011336AC

Memory Dump Source

Source File: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: a9b94cd72a13ad13abe87a0a528e12133fe10369b71e29dc5dee81056d3af824
Instruction ID: ed567857fc0c7bea6e0de2b2a130ad90870535d676b41bc30718b124cb7e74bc
Opcode Fuzzy Hash: a9b94cd72a13ad13abe87a0a528e12133fe10369b71e29dc5dee81056d3af824
Instruction Fuzzy Hash: 232139B101420E9EEF22DF60C849BDE3AA9FF45310F100226E95295956EB764EB4DF1C

Function 011249BA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(0000001E,049F363E), ref: 01124A16

Strings

C, xrefs: 01124C51

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: cd3e5b0a88a848cf0c3e16ce1db447a6565c56bc9ba66d42540626f97fc01944
Instruction ID: 71c8f313fca67f9a4e70589e1a0b1f63aa62a107eb285509b5e7ebd94dc7d826
Opcode Fuzzy Hash: cd3e5b0a88a848cf0c3e16ce1db447a6565c56bc9ba66d42540626f97fc01944
Instruction Fuzzy Hash: F331D6B610C12AAFE70DCE6899549FF7BA8EB85230B21452AF902C7E01D3A50D358639

Function 0118022E Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(018F18D4,?,-11325FEC,?,?,?,?,-11325FEC), ref: 011802E0

Part of subcall function 011801E0: IsBadWritePtr.KERNEL32(?,00000004), ref: 011801EE

CreateFileA.KERNEL32(?,?,-11325FEC,?,?,?,?,-11325FEC), ref: 01180300

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: d4f042215bfff8e1b85fcfdd1cd4c3c306bc1afb3d9dc406d1063e68a6e30a23
Instruction ID: 296fbb2d108df4a66755245b5baa17eb720ddefbbb08286012ab0a7e19abf900
Opcode Fuzzy Hash: d4f042215bfff8e1b85fcfdd1cd4c3c306bc1afb3d9dc406d1063e68a6e30a23
Instruction Fuzzy Hash: 8811E43210454EFBDF2AAFA4DD04B9E3E72BF18348F058115FA0664060D7B6C5A9EF51

Function 0117FB9A Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(-11325FEC), ref: 0117FBA7
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0117FC0D

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CurrentDuplicateHandleProcess
String ID:
API String ID: 1009649615-0
Opcode ID: bcf6e909e8c2e400994edc7194745893c15152099ee0111fafabf81aef584948
Instruction ID: 286c01b82f792e6b461b0e6f7c6ff23915312f0717dd138ef542484a611e31ff
Opcode Fuzzy Hash: bcf6e909e8c2e400994edc7194745893c15152099ee0111fafabf81aef584948
Instruction Fuzzy Hash: BD01FB7210010BFB8F26AFA8DC04DAF3B75BF592547048511F91196114C736D462EB62

Function 011226BC Relevance: 1.6, APIs: 1, Instructions: 132
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 011226BC

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ceb90f1601226f3a490cea0479da1fe62dc73526560000957d7d2ccd87b55ad9
Instruction ID: 623efbe7097f69ae061e98f247e0588d5b751134e9b1f6f07d11aa13236e900e
Opcode Fuzzy Hash: ceb90f1601226f3a490cea0479da1fe62dc73526560000957d7d2ccd87b55ad9
Instruction Fuzzy Hash: 4B415EF250C304EFE3056F05ED81ABEFBE9EB94760F12892DE6C086600E73548549A6B

Function 01122596 Relevance: 1.6, APIs: 1, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 01122596

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6aeb7fca5cd30338e1d6610512c5cad2223c172dfe104659d6b626a3ed58343d
Instruction ID: 49dac1834a2800feb1d371f2f3a8655b1117cb3c887e79b48c106bb5cc3eb1d3
Opcode Fuzzy Hash: 6aeb7fca5cd30338e1d6610512c5cad2223c172dfe104659d6b626a3ed58343d
Instruction Fuzzy Hash: 753114B280C200AFD7026F29D8456AEFBE5FF94710F06082EEAD493210E7759854CB97

Function 05620D41 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05620DCD

Memory Dump Source

Source File: 00000000.00000002.1557500140.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: fbdb748a396ea46dd248ab5f8114713508876d57638a1a02d83e2419bd2afc40
Instruction ID: 8f1d95359e0df83a59f391237af5e6ce7b2dd6604ba9101f9aefba04448ac1a2
Opcode Fuzzy Hash: fbdb748a396ea46dd248ab5f8114713508876d57638a1a02d83e2419bd2afc40
Instruction Fuzzy Hash: EE2123BAC016199FCB50CF99D988BDEFBB1BF88720F14851AD809AB344D734A544CFA5

Function 05620D48 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05620DCD

Memory Dump Source

Source File: 00000000.00000002.1557500140.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 4962f47697022277a65a050148a4a6379b11eaa48e0e54842c4fc98a1fbacc4f
Instruction ID: 1072b7b078b12159f30e72594277d91582a1602457361c59a6aebf5563543a9e
Opcode Fuzzy Hash: 4962f47697022277a65a050148a4a6379b11eaa48e0e54842c4fc98a1fbacc4f
Instruction Fuzzy Hash: E32102B68016199FCB50CF9AD884ADEFBF4FB88720F14861AD809AB345D774A544CFA4

Function 05621509 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 05621580

Memory Dump Source

Source File: 00000000.00000002.1557500140.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 9d22ee43ac6b86f4906b6c53c965624fd61d3742bfe578293228ffeac220bbf6
Instruction ID: 012374dd4f8bfae07d88fb60843f578128c9610fbc4a1904cc957d16e3a386e3
Opcode Fuzzy Hash: 9d22ee43ac6b86f4906b6c53c965624fd61d3742bfe578293228ffeac220bbf6
Instruction Fuzzy Hash: 0F2117B5D002498FDB10CF9AC584BEEFBF4BB48320F10842AD559A7640D378A644CFA5

Function 05621510 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 05621580

Memory Dump Source

Source File: 00000000.00000002.1557500140.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: d058269378de8b4a808c4fed3df95e28e617212ec68d13c1b05f70dee1bee7d7
Instruction ID: 179477157de5f609008fe658c31d561060efc2e30eed1d130849b8f304fc9028
Opcode Fuzzy Hash: d058269378de8b4a808c4fed3df95e28e617212ec68d13c1b05f70dee1bee7d7
Instruction Fuzzy Hash: 0511E4B19047599FDB10CF9AC584BDEFBF4FB48320F108029E959A3250D778AA44CFA5

Function 01180D66 Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?), ref: 01180DED

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7034414e6211e9228d9f25aaa2d8651778b0e498181a6220b2089c6950726291
Instruction ID: 727fe19ea9ec2276f9007c0f8753ac561f64b9eed9d0717f79c58005132ea54d
Opcode Fuzzy Hash: 7034414e6211e9228d9f25aaa2d8651778b0e498181a6220b2089c6950726291
Instruction Fuzzy Hash: 0C11A53210420AFFCF1AAFA8DC08D9F3F76BF58254B048511FA1156464C73694B5EFA2

Function 01180B4E Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6200cb8ba0e3832a38c0c2556ebc39879d16db58d0c7aff5b5bdd872c9c713f7
Instruction ID: dd5a071fe8ad3795d6dcaf2dddebeb521920d39310f49eebc35a596ba6270872
Opcode Fuzzy Hash: 6200cb8ba0e3832a38c0c2556ebc39879d16db58d0c7aff5b5bdd872c9c713f7
Instruction Fuzzy Hash: 3111393650420EFEDF2ABFA8C808E9E3AB5AF58348F008154F91146160C736C6A9DF51

Function 05621301 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 05621367

Memory Dump Source

Source File: 00000000.00000002.1557500140.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: feadd60359cbe785bf1dc3bceda61b2fa3487e20f2c887722dbf19bd17505b61
Instruction ID: cf7e24615dc178dbeba8ec29bb2fb0d8203304271b048a71fe15758f73fa49b9
Opcode Fuzzy Hash: feadd60359cbe785bf1dc3bceda61b2fa3487e20f2c887722dbf19bd17505b61
Instruction Fuzzy Hash: 90112875804359CFDB10DF9AD484BDEBBF4EF48320F14842AD918A7640C778A544CFA5

Function 05621308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 05621367

Memory Dump Source

Source File: 00000000.00000002.1557500140.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5620000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: dfc92a38611de940a7757a05ad468c95a2f4b2d44340edd951793a96f8daf64e
Instruction ID: e588ce340e2f196337fdcf64a1b6e5fd5d873e8ec53bbe37d45d256858396af4
Opcode Fuzzy Hash: dfc92a38611de940a7757a05ad468c95a2f4b2d44340edd951793a96f8daf64e
Instruction Fuzzy Hash: C41136B180035ACFDB10CF9AC444BDEFBF4EB48320F20841AD518A3640C778A544CFA5

Function 01180432 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,?), ref: 0118049E

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9eaa2d5ccfa0295a304f8f1480e92bd34d48f60ca4802e334231bcbeb45f2875
Instruction ID: 7bbdaea1d05c92fb48158b733cd77c39039913f1b3950a1590bbe57cf772a60c
Opcode Fuzzy Hash: 9eaa2d5ccfa0295a304f8f1480e92bd34d48f60ca4802e334231bcbeb45f2875
Instruction Fuzzy Hash: CBF0C93214414AFFDF1AAF98D804E9A3F76BF59354F008521FA124A124D732C4B5DF65

Function 011247FE Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 01124839

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4bf1031797a6192acc05ce4f7bd912ded05eca4d5163651731314f56add0fa8c
Instruction ID: 3f93e1c281cd8c76ec40840c73ebd0bef902a453e1b60fb66e3e6f069f50c2ad
Opcode Fuzzy Hash: 4bf1031797a6192acc05ce4f7bd912ded05eca4d5163651731314f56add0fa8c
Instruction Fuzzy Hash: 7CE0DF676940970A862BEFF499540EAAB6AF893C703301135C0529FC6BF68386978190

Function 01124B89 Relevance: 1.5, APIs: 1, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 01124BCE

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 18e881fe5f4062e21ee4a37cac92c0dbb28bc1b2ef82095b804a29fbce8093c6
Instruction ID: d05e4482bcf34d528d12d60c3183973a7a38650aad3a31e5295fd3dccf007b34
Opcode Fuzzy Hash: 18e881fe5f4062e21ee4a37cac92c0dbb28bc1b2ef82095b804a29fbce8093c6
Instruction Fuzzy Hash: C9E068F610C276ACE72D6B645CD0BBEB719EBD1331B111149E580C6C83E3A410A68323

Function 01124B9A Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 01124BCE

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d5efd790d44d23aed81ff78ff13103395762e9fc952a99d6f4d5ca23c8a6e637
Instruction ID: eadadf099166b6ba9eff602dc31a9382397626057c214b363c2893de32c267ad
Opcode Fuzzy Hash: d5efd790d44d23aed81ff78ff13103395762e9fc952a99d6f4d5ca23c8a6e637
Instruction Fuzzy Hash: 8BE026F55482336DD7296F386CD0BBE7311FAD0625B10109ED040C7C87C31540AF5322

Function 011249EC Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(0000001E,049F363E), ref: 01124A16

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f94d61d5e9c293a8e35cdbf60cf151584a4ffda745476de18905e9dabcffe340
Instruction ID: 064b278b7c074cd1213ff994719aad0bd8643383bf54e558f81576f2c855f092
Opcode Fuzzy Hash: f94d61d5e9c293a8e35cdbf60cf151584a4ffda745476de18905e9dabcffe340
Instruction Fuzzy Hash: CDE0C27300C2229CF314DA545D607B9B788CB94128B21881FE145C1C42C3650966863A

Function 01133234 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 01133243

Memory Dump Source

Source File: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 18589f44c0efc0194ca1f87151c43d18d11a4d44dfbb986e20b1fe77e19bcf32
Instruction ID: eaa064fa7406e7c39fefe75e4ec5af4f48e6a590dc8400962106b9193ae15fd7
Opcode Fuzzy Hash: 18589f44c0efc0194ca1f87151c43d18d11a4d44dfbb986e20b1fe77e19bcf32
Instruction Fuzzy Hash: 36D0E27560C305DBCB062F28D88422EFBE4FF08301F42092C9AC543600EB3208608B97

Function 01124BCC Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 01124BCE

Memory Dump Source

Source File: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3cf226a23965623fa00a3cfbba7eba9ef8009a18014ac7a974d57f67b783106d
Instruction ID: ab1b0028e783919ba9cffe28267fab04688055f5275a7dcc49a702ce84650aa9
Opcode Fuzzy Hash: 3cf226a23965623fa00a3cfbba7eba9ef8009a18014ac7a974d57f67b783106d
Instruction Fuzzy Hash: 80A0220228C3F330E00333380CE0BBCCB800FE2A28F000088E288008C28B8830332203

Function 00FAE3B1 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00FAEFF9

Memory Dump Source

Source File: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d0bdd7078a69c2976524a1a91aec89c9a982e41acbc46fbd95e287185c92c90d
Instruction ID: b8e739ac53edf20be1228b62d2f8ee4d479df097b7c1d790ebda727c564861ba
Opcode Fuzzy Hash: d0bdd7078a69c2976524a1a91aec89c9a982e41acbc46fbd95e287185c92c90d
Instruction Fuzzy Hash: 651122F211C708DFD3007F55A88573AFBF4EF85710F22882DE6D68A200E2314881AB57

Function 00FAEC3B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00FAEC3B

Memory Dump Source

Source File: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ce3f616a2da9b271ba885456be433d390fa156b4290fcb1675b5cba843e4f193
Instruction ID: 13b9aaca83b83d7801aa32f9e3392d7c8f14bfb2318396ec55869fc1c96c0f26
Opcode Fuzzy Hash: ce3f616a2da9b271ba885456be433d390fa156b4290fcb1675b5cba843e4f193
Instruction Fuzzy Hash: C1C04C7551414ECF8F005F74D00C7CE3B70EF49325B140211AC32C2A80D7B24C60DA09

Non-executed Functions

Function 00FAD9F3 Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

NTDL, xrefs: 00FADDED

Memory Dump Source

Source File: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID:
String ID: NTDL
API String ID: 0-3662016964
Opcode ID: aa53dd47efe93d4a316e31eefc03465cd46a63f4118d49c67409eab3187fbf11
Instruction ID: 8b3a5cf84164de794d5146d1c2b4625e60342b9bdafb90e877c0a0e8b8c5bff8
Opcode Fuzzy Hash: aa53dd47efe93d4a316e31eefc03465cd46a63f4118d49c67409eab3187fbf11
Instruction Fuzzy Hash: 23A1B0F250820E9FDB01CE64C5416EF7BA5FB97330B24462AE80397E02D3B65D11FA69

Function 01180AEA Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 01180B31

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: 11ab36f3bb760d521b4052c4456c264b239222907bb01fb1253edc7f576e0ecb
Instruction ID: 1511fdd67c3d84159278ae9b6d41d4d52cf657a7c6064f905323f0b5dcc1a9f6
Opcode Fuzzy Hash: 11ab36f3bb760d521b4052c4456c264b239222907bb01fb1253edc7f576e0ecb
Instruction Fuzzy Hash: E5F0F83660020EFFCF15DF94C90498D7BB2FF19359B10C125FA0696651D7B596A4EF40

Function 00FB56A4 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6115c23e7ccc01e80309d22192599be0cd76115194ce9a061b0cae310717a62b
Instruction ID: d7d07b4de2d8c88dc4f2a4fc63f3a7dd2e78a1893befe61b94bf1264d26533c4
Opcode Fuzzy Hash: 6115c23e7ccc01e80309d22192599be0cd76115194ce9a061b0cae310717a62b
Instruction Fuzzy Hash: 10A10AB3E053644BF3110D34CCA43A17BA29B96310F2F42BACE886B7D6D87E5C499384

Function 00FB5700 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a764f6fffad5e235563dc7af7a760454f438c9127e1e33f56004e241bf694bac
Instruction ID: 3e3573529a7febe011f63105f5178cb20a050b95d49f68747cd9154c8408f517
Opcode Fuzzy Hash: a764f6fffad5e235563dc7af7a760454f438c9127e1e33f56004e241bf694bac
Instruction Fuzzy Hash: B39105B3E153644BF3550E24CCA43A17792DB95320F2F42B98E896B7C6D87E1C4A9384

Function 00FB5B37 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4748edcbbed234dc91b5f8af892dca52a3dab9ccf84f4d018e7cea18bc3ec3
Instruction ID: b6e6c71dd40cd12bcdfcb8be98fb28b1b056155fde04af4e683ea359089b41b5
Opcode Fuzzy Hash: fa4748edcbbed234dc91b5f8af892dca52a3dab9ccf84f4d018e7cea18bc3ec3
Instruction Fuzzy Hash: 01719BB3F111254BF3444E29CC583A27753DBC5714F2E82788A496B7C4DA7F6D4AA284

Function 00FB5D32 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73a69f5854cdedcb4d73546e640070b4c170912b933296adfe0fcfafc375a2d
Instruction ID: 23bd5a0ec067f0bdc2341cf23c6efe584d900a889566697249d9d9891bbd5576
Opcode Fuzzy Hash: c73a69f5854cdedcb4d73546e640070b4c170912b933296adfe0fcfafc375a2d
Instruction Fuzzy Hash: 1E214DB7F5112A4BF354483ACD5836265839BD5715F2FC2348F5CABAC8DCBE5D0A1284

Function 0117F162 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 011801E0: IsBadWritePtr.KERNEL32(?,00000004), ref: 011801EE

wsprintfA.USER32 ref: 0117F1A8
LoadImageA.USER32(?,?,?,?,?,?), ref: 0117F26C

Strings

%8x, xrefs: 0117F236, 0117F269
%8x, xrefs: 0117F1A3, 0117F1A6

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: ImageLoadWritewsprintf
String ID: %8x$%8x
API String ID: 416453052-2046107164
Opcode ID: 891b0d7cb867b687a25abe112baabe31e0e6f5fef548a8238fe2f54f68a9e148
Instruction ID: 67014201ec4040886ac6af0c6e3eb7f3dde30a13654f67a0366be151a3b1478e
Opcode Fuzzy Hash: 891b0d7cb867b687a25abe112baabe31e0e6f5fef548a8238fe2f54f68a9e148
Instruction Fuzzy Hash: 7A31067190010AFFCF15DFA4DC49EAEBB75FF98314F108125F912A62A0C7719A62DBA0

Function 0117FD33 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(018F18D4,00004020,00000000,-11325FEC), ref: 0117FE20

Strings

@, xrefs: 0117FD5F

Memory Dump Source

Source File: 00000000.00000002.1554474976.000000000117F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true

Associated: 00000000.00000002.1554072749.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554086697.0000000000FA2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554101779.0000000000FA6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554117386.0000000000FAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554133344.0000000000FB6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554232053.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554249807.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000111E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554268567.000000000112B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554302550.0000000001133000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554322925.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554379669.000000000115E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554456314.0000000001170000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554531581.0000000001183000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554550275.0000000001193000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554585805.0000000001195000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554600546.0000000001196000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554617691.000000000119D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554634091.000000000119E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554649791.00000000011A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554664738.00000000011A4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554679547.00000000011AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554735765.00000000011BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554752447.00000000011C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554767500.00000000011C1000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554782290.00000000011C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554854142.00000000011CB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554869071.00000000011D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554882488.00000000011D2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554895844.00000000011D3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554909288.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554922396.00000000011D5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554941521.00000000011DE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554961176.00000000011DF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554999332.00000000011EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555021726.00000000011EF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555044681.00000000011F0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555066935.00000000011F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555086723.00000000011F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555109731.00000000011F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.000000000123A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555178923.0000000001240000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555217314.0000000001250000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1555272290.0000000001252000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fa0000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 0562f22d1ffdd283e5fe5a84360ad864bc26bbc77e928fd080aeb230cb73e030
Instruction ID: f1dbd4bb4b3ee1cbe4831e003595f22832ecc974ef845f8cf5d9eee208e8478a
Opcode Fuzzy Hash: 0562f22d1ffdd283e5fe5a84360ad864bc26bbc77e928fd080aeb230cb73e030
Instruction Fuzzy Hash: 0F316DB5504206EFDB299F58C848B9FBBB1FF08344F018529E96667350C771E6A6CF90

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7656, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7656, Parent PID: 4084COMMON

Execution Graph

Graph

Executed Functions

Windows Analysis Report
file.exe

Function 011247CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133
fileCOMMON

Function 01180012 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 011335E1 Relevance: 4.6, APIs: 3, Instructions: 60
registryCOMMON

Function 011249BA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
fileCOMMON

Function 0118022E Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 0117FB9A Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 011226BC Relevance: 1.6, APIs: 1, Instructions: 132
libraryCOMMON

Function 01122596 Relevance: 1.6, APIs: 1, Instructions: 85
libraryCOMMON

Function 05620D41 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Function 05620D48 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 05621509 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Function 05621510 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Function 01180D66 Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 01180B4E Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 05621301 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON