Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1566417
MD5:	8f9d86f076e12b28ada6e9bad6cee8c3
SHA1:	509d66d54d5f84ab1be7cfb5a90f3118d046c7cd
SHA256:	e5fe55593ab358b791df56f5047f6a3b1563fa45dd12e5e5dd249a3a5b2534d2
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8F9D86F076E12B28ADA6E9BAD6CEE8C3)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1866791134.0000000004730000.00000004.00001000.00020000.00000000.sdmp

Source: file.exe, 00000000.00000002.2001990286.00000000008CE000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://go.mic

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002741FE	0_2_002741FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0038C5F4	0_2_0038C5F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F58FB	0_2_000F58FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026FDFA	0_2_0026FDFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026FE11	0_2_0026FE11

Source: file.exe, 00000000.00000002.2001990286.000000000087E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2848256 > 1048576

Source: file.exe

Static PE information: Raw size of tlfljndr is bigger than: 0x100000 < 0x2b1600

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e0000.0.unpack :EW;.rsrc:W;.idata :W;tlfljndr:EW;pcyievjx:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2c07cb should be: 0x2b86c7

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: tlfljndr
Source: file.exe	Static PE information: section name: pcyievjx
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F0CB push ecx; mov dword ptr [esp], 7EF72CB2h	0_2_0026F0DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F0CB push esi; mov dword ptr [esp], edx	0_2_0026F128
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F0CB push 3D68A3B8h; mov dword ptr [esp], ebx	0_2_0026F13D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F0CB push edx; mov dword ptr [esp], 6F7F3DEBh	0_2_0026F14B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F0CB push ecx; mov dword ptr [esp], esp	0_2_0026F175
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026F0CB push 20E727F8h; mov dword ptr [esp], ecx	0_2_0026F1C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002916C0 push esi; mov dword ptr [esp], 73CBFA25h	0_2_0029171A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002916C0 push edx; mov dword ptr [esp], ebx	0_2_00291736
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002916C0 push ebx; mov dword ptr [esp], ebp	0_2_00291767
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002916C0 push 383AFAD6h; mov dword ptr [esp], edi	0_2_00291783
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002916C0 push 483F416Eh; mov dword ptr [esp], eax	0_2_002917B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00292E5A push ebx; mov dword ptr [esp], ecx	0_2_00292EBA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00292E5A push 19B4986Fh; mov dword ptr [esp], ebx	0_2_00292EDE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00292FA3 push 72CD1956h; mov dword ptr [esp], ecx	0_2_00292FFE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AF02F push ebx; ret	0_2_002AF03E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AF03F push ebx; ret	0_2_002AF03E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F2012 push esi; mov dword ptr [esp], 69013EE4h	0_2_000F2014
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0035F02B push ecx; mov dword ptr [esp], esi	0_2_0035F0B1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027F004 push 74A92679h; mov dword ptr [esp], ebx	0_2_0027E6AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0027E001 push ebp; mov dword ptr [esp], 0AE9A678h	0_2_0027FC58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F2023 push ecx; mov dword ptr [esp], 1FF95DE0h	0_2_000F3183
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000F2023 push 70B5BBA5h; mov dword ptr [esp], eax	0_2_000F3C3D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002CE018 push ebx; mov dword ptr [esp], ecx	0_2_002CE039
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AE01C push ebp; ret	0_2_002AE02B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AD01D push ecx; ret	0_2_002AD02C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000EC032 push 4DBAB387h; mov dword ptr [esp], esi	0_2_000EC4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000EC032 push 44CE8EF7h; mov dword ptr [esp], ebp	0_2_000EC622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00273062 push edi; mov dword ptr [esp], 1EF4E46Bh	0_2_0027306C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AF06F push esi; ret	0_2_002AF07E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AB064 push 6A84ACD4h; mov dword ptr [esp], edx	0_2_002AB333
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002AC07E push ecx; ret	0_2_002AC08D

Source: file.exe

Static PE information: section name: entropy: 7.781134092286406

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE45B second address: EE461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDD10 second address: EDD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2606D4 second address: 2606DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2606DC second address: 2606E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26EF45 second address: 26EF4F instructions: 0x00000000 rdtsc 0x00000002 je 00007F62B07F3376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26F235 second address: 26F239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26F239 second address: 26F23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 26F23F second address: 26F26F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007F62B07F1C68h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271CC3 second address: EDD10 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F62B07F3376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F62B07F337Bh 0x00000010 jmp 00007F62B07F3387h 0x00000015 popad 0x00000016 popad 0x00000017 pop eax 0x00000018 mov edx, dword ptr [ebp+122D2D1Eh] 0x0000001e push dword ptr [ebp+122D02B9h] 0x00000024 xor dh, 00000037h 0x00000027 call dword ptr [ebp+122D1E6Dh] 0x0000002d pushad 0x0000002e sub dword ptr [ebp+122D3BF5h], esi 0x00000034 xor eax, eax 0x00000036 jmp 00007F62B07F3387h 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f mov dword ptr [ebp+122D37A5h], ecx 0x00000045 mov dword ptr [ebp+122D2DA2h], eax 0x0000004b mov dword ptr [ebp+122D3BF5h], ecx 0x00000051 mov esi, 0000003Ch 0x00000056 stc 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b js 00007F62B07F338Eh 0x00000061 jmp 00007F62B07F3388h 0x00000066 lodsw 0x00000068 xor dword ptr [ebp+122D37A5h], edi 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007F62B07F337Bh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b pushad 0x0000007c sbb bl, 00000063h 0x0000007f xor dl, FFFFFFB5h 0x00000082 popad 0x00000083 nop 0x00000084 jp 00007F62B07F3384h 0x0000008a pushad 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271D39 second address: 271D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271D3F second address: 271D7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F62B07F337Ch 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F62B07F337Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271D7C second address: 271DA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jng 00007F62B07F1C56h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271DA6 second address: 271DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271DAB second address: 271E0E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F62B07F1C5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jp 00007F62B07F1C6Ah 0x00000014 pop eax 0x00000015 call 00007F62B07F1C5Ch 0x0000001a jmp 00007F62B07F1C5Bh 0x0000001f pop edi 0x00000020 push 00000003h 0x00000022 mov edi, dword ptr [ebp+122D2D3Eh] 0x00000028 push 00000000h 0x0000002a clc 0x0000002b push 00000003h 0x0000002d mov edx, 45E1EA8Ch 0x00000032 push 764042C9h 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push esi 0x0000003b pop esi 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271E0E second address: 271E18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271E18 second address: 271E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271EDA second address: 271EDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271EDF second address: 271F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F62B07F1C58h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 xor dword ptr [ebp+122D208Dh], edi 0x0000002c push 00000000h 0x0000002e adc si, BDD0h 0x00000033 mov esi, 509E48FFh 0x00000038 call 00007F62B07F1C59h 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push ecx 0x00000042 pop ecx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271F28 second address: 271F44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271F44 second address: 271F60 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F62B07F1C5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jns 00007F62B07F1C56h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271F60 second address: 271F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271F65 second address: 271F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F62B07F1C66h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271F7F second address: 271FCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F337Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jnl 00007F62B07F3382h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007F62B07F3388h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271FCD second address: 271FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271FD1 second address: 271FDB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F62B07F3376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271FDB second address: 271FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 271FE1 second address: 271FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 27209B second address: 2720A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 284391 second address: 284397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2935D8 second address: 2935DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291AAC second address: 291ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007F62B07F3376h 0x0000000c jmp 00007F62B07F3384h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291ACC second address: 291AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291AD0 second address: 291AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291BF9 second address: 291C07 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F62B07F1C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291C07 second address: 291C28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3387h 0x00000007 je 00007F62B07F337Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291D34 second address: 291D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F62B07F1C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 291FCD second address: 291FE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F62B07F3376h 0x0000000d jno 00007F62B07F3376h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292134 second address: 292138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292138 second address: 292171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3380h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F62B07F337Dh 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F62B07F337Eh 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292467 second address: 29246B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29246B second address: 2924A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F3384h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jne 00007F62B07F3376h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 jmp 00007F62B07F337Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2924A2 second address: 2924A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292D3F second address: 292D57 instructions: 0x00000000 rdtsc 0x00000002 js 00007F62B07F3376h 0x00000008 jnc 00007F62B07F3376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007F62B07F3376h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292D57 second address: 292D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292FD4 second address: 292FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292FD8 second address: 292FEA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F62B07F1C5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 292FEA second address: 292FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 293414 second address: 293428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F62B07F1C5Ch 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29988F second address: 299895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 299EF8 second address: 299F0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 299F0E second address: 299F2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3385h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 299F2B second address: 299F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29F8C3 second address: 29F8E2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F62B07F3376h 0x00000008 jg 00007F62B07F3376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F62B07F337Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 263DF9 second address: 263DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29EF00 second address: 29EF1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3382h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29EF1F second address: 29EF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F62B07F1C66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29EF3E second address: 29EF59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F62B07F3376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007F62B07F3376h 0x00000013 jo 00007F62B07F3376h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29F1C0 second address: 29F1C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 29F47A second address: 29F480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1711 second address: 2A1738 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F62B07F1C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 7F930953h 0x00000012 movsx edi, dx 0x00000015 mov edi, 075AA498h 0x0000001a call 00007F62B07F1C59h 0x0000001f push ecx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1738 second address: 2A1776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edi 0x0000000a push edx 0x0000000b jnp 00007F62B07F3376h 0x00000011 pop edx 0x00000012 pop edi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push edi 0x00000018 push ebx 0x00000019 jmp 00007F62B07F3387h 0x0000001e pop ebx 0x0000001f pop edi 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 ja 00007F62B07F3378h 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1776 second address: 2A178B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F62B07F1C56h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A178B second address: 2A178F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1B5E second address: 2A1B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C61h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1C8B second address: 2A1CB6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F62B07F337Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F62B07F3387h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1CB6 second address: 2A1CBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1CBA second address: 2A1CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2357 second address: 2A235D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A235D second address: 2A2366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2366 second address: 2A2378 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F62B07F1C64h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2950 second address: 2A2954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2954 second address: 2A299B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnc 00007F62B07F1C5Ah 0x00000011 nop 0x00000012 mov esi, dword ptr [ebp+122D2EEAh] 0x00000018 jmp 00007F62B07F1C60h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push ecx 0x00000021 pushad 0x00000022 popad 0x00000023 pop ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2EAA second address: 2A2EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2EAE second address: 2A2EB8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F62B07F1C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2F64 second address: 2A2F85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F337Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F62B07F337Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2F85 second address: 2A2F9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A2F9B second address: 2A2FA0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4B1D second address: 2A4B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A42C2 second address: 2A42DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4B23 second address: 2A4B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A42DF second address: 2A42F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F62B07F3382h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4B27 second address: 2A4B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A6A4C second address: 2A6AB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F62B07F3378h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 jmp 00007F62B07F337Ah 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F62B07F3378h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 jmp 00007F62B07F337Bh 0x00000048 push 00000000h 0x0000004a mov dword ptr [ebp+122D208Dh], edx 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A6AB2 second address: 2A6AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A6AB6 second address: 2A6AC0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F62B07F3376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A74CB second address: 2A74D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A5D99 second address: 2A5D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A74D1 second address: 2A74D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A74D6 second address: 2A74DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2ADFCE second address: 2ADFD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A7CF7 second address: 2A7CFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A7CFD second address: 2A7D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A7D01 second address: 2A7D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 268CE0 second address: 268CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B235B second address: 2B237D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F62B07F3388h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B237D second address: 2B2383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2AC1ED second address: 2AC1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B4545 second address: 2B4549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B2587 second address: 2B258B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B4549 second address: 2B454F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B258B second address: 2B260A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F62B07F337Bh 0x0000000b popad 0x0000000c nop 0x0000000d sub dword ptr [ebp+122D25AAh], edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007F62B07F3378h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 or ebx, dword ptr [ebp+122D2079h] 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 clc 0x00000042 mov eax, dword ptr [ebp+122D0045h] 0x00000048 mov edi, dword ptr [ebp+122D2E5Eh] 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edx 0x00000053 call 00007F62B07F3378h 0x00000058 pop edx 0x00000059 mov dword ptr [esp+04h], edx 0x0000005d add dword ptr [esp+04h], 00000014h 0x00000065 inc edx 0x00000066 push edx 0x00000067 ret 0x00000068 pop edx 0x00000069 ret 0x0000006a nop 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e push edi 0x0000006f pop edi 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B454F second address: 2B4554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B260A second address: 2B260F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B543A second address: 2B545E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F62B07F1C58h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B545E second address: 2B549A instructions: 0x00000000 rdtsc 0x00000002 je 00007F62B07F337Ch 0x00000008 jc 00007F62B07F3376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 add bx, 7D92h 0x00000016 push 00000000h 0x00000018 pushad 0x00000019 sub dword ptr [ebp+122D3626h], edx 0x0000001f popad 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 jmp 00007F62B07F3385h 0x0000002b pop ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B47B0 second address: 2B47B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B73BE second address: 2B73C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B73C2 second address: 2B73D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F62B07F1C5Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B7A6E second address: 2B7A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F62B07F3378h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov di, 5529h 0x00000014 movzx edi, bx 0x00000017 push 00000000h 0x00000019 mov edi, edx 0x0000001b push 00000000h 0x0000001d mov dword ptr [ebp+122D30B5h], edx 0x00000023 xchg eax, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 jng 00007F62B07F3378h 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B98E5 second address: 2B98EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BA7BD second address: 2BA7DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F337Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F62B07F3378h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BA7DA second address: 2BA7DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BDA67 second address: 2BDA97 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F62B07F337Eh 0x00000008 jbe 00007F62B07F3376h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jnc 00007F62B07F3378h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F62B07F3381h 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BE000 second address: 2BE082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D34EBh], ecx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F62B07F1C58h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D2C62h] 0x00000031 mov edi, dword ptr [ebp+1246B179h] 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F62B07F1C58h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 and di, 73CFh 0x00000058 xchg eax, esi 0x00000059 jmp 00007F62B07F1C65h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push ecx 0x00000062 push eax 0x00000063 pop eax 0x00000064 pop ecx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BE082 second address: 2BE08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F62B07F3376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B8AB3 second address: 2B8AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2B7BD7 second address: 2B7C71 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F62B07F3378h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F62B07F3378h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov di, 9EEBh 0x0000002b call 00007F62B07F337Bh 0x00000030 mov dword ptr [ebp+122D35E0h], edi 0x00000036 pop edi 0x00000037 push dword ptr fs:[00000000h] 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007F62B07F3378h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 0000001Dh 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 push edx 0x00000059 pop edi 0x0000005a mov dword ptr fs:[00000000h], esp 0x00000061 mov dword ptr [ebp+122D3616h], edi 0x00000067 mov eax, dword ptr [ebp+122D13C9h] 0x0000006d or ebx, 6BE117C2h 0x00000073 push FFFFFFFFh 0x00000075 and bx, AF08h 0x0000007a nop 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e pushad 0x0000007f popad 0x00000080 pop eax 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BBBE8 second address: 2BBBF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F62B07F1C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BBBF2 second address: 2BBBF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BF0BD second address: 2BF0E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F62B07F1C62h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F62B07F1C5Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BF0E5 second address: 2BF0F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F62B07F3376h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BF0F0 second address: 2BF151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F62B07F1C58h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov ebx, dword ptr [ebp+122D2D96h] 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D342Ch], ecx 0x00000030 add di, 8F4Eh 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F62B07F1C58h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2BF151 second address: 2BF168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CE0B3 second address: 2CE0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CD836 second address: 2CD83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CD83A second address: 2CD842 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CDAE2 second address: 2CDAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CDAE8 second address: 2CDAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CDAED second address: 2CDAF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2CDAF3 second address: 2CDAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D45A1 second address: 2D45A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D45A7 second address: 2D45AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D45AC second address: 2D45C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F62B07F3378h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D45C1 second address: 2D45C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D45C7 second address: 2D45CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2D47F8 second address: EDD10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F62B07F1C68h 0x0000000e popad 0x0000000f xor dword ptr [esp], 056440D4h 0x00000016 jmp 00007F62B07F1C68h 0x0000001b push dword ptr [ebp+122D02B9h] 0x00000021 cmc 0x00000022 call dword ptr [ebp+122D1E6Dh] 0x00000028 pushad 0x00000029 sub dword ptr [ebp+122D3BF5h], esi 0x0000002f xor eax, eax 0x00000031 jmp 00007F62B07F1C67h 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a mov dword ptr [ebp+122D37A5h], ecx 0x00000040 mov dword ptr [ebp+122D2DA2h], eax 0x00000046 mov dword ptr [ebp+122D3BF5h], ecx 0x0000004c mov esi, 0000003Ch 0x00000051 stc 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 js 00007F62B07F1C6Eh 0x0000005c jmp 00007F62B07F1C68h 0x00000061 lodsw 0x00000063 xor dword ptr [ebp+122D37A5h], edi 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d jmp 00007F62B07F1C5Bh 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 sbb bl, 00000063h 0x0000007a xor dl, FFFFFFB5h 0x0000007d popad 0x0000007e nop 0x0000007f jp 00007F62B07F1C64h 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DAB84 second address: 2DABAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F62B07F3376h 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F62B07F3383h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DB136 second address: 2DB151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F62B07F1C66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DB151 second address: 2DB167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F62B07F3376h 0x00000009 jne 00007F62B07F3376h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DB441 second address: 2DB44B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DB44B second address: 2DB451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DB451 second address: 2DB455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DB5F3 second address: 2DB5FF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F62B07F3376h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2DB5FF second address: 2DB604 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E5C0F second address: 2E5C16 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E5D89 second address: 2E5DA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E5DA2 second address: 2E5DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E5F13 second address: 2E5F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E5F19 second address: 2E5F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E5F1D second address: 2E5F21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E5F21 second address: 2E5F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E6190 second address: 2E61D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F62B07F1C65h 0x0000000a jmp 00007F62B07F1C63h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F62B07F1C67h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E61D9 second address: 2E61DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E68BA second address: 2E68BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E68BE second address: 2E68DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F62B07F337Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 pop eax 0x00000018 jbe 00007F62B07F3376h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E6BAA second address: 2E6BD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F62B07F1C68h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jnc 00007F62B07F1C58h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2872E5 second address: 2872FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F62B07F3381h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2872FC second address: 287301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 287301 second address: 287307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 287307 second address: 287313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F62B07F1C56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 287313 second address: 28731C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 28731C second address: 287322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2E58E1 second address: 2E5901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3387h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB7E6 second address: 2EB7EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB7EA second address: 2EB7FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F62B07F337Ah 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB7FE second address: 2EB81E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F62B07F1C5Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jnp 00007F62B07F1C56h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB81E second address: 2EB824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB824 second address: 2EB82E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F62B07F1C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2EB82E second address: 2EB832 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F10A3 second address: 2F10BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C5Dh 0x00000007 jno 00007F62B07F1C56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F10BD second address: 2F10C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F0D79 second address: 2F0D8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F62B07F1C5Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F0D8B second address: 2F0DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F62B07F3389h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F26DF second address: 2F26E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F26E3 second address: 2F2730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F62B07F3388h 0x0000000b jmp 00007F62B07F3382h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F62B07F3380h 0x00000017 pushad 0x00000018 jc 00007F62B07F3376h 0x0000001e push edx 0x0000001f pop edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F2730 second address: 2F2752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F62B07F1C69h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F2752 second address: 2F275C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F62B07F3376h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F6E8E second address: 2F6E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F6E94 second address: 2F6E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F62B07F3376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F5D34 second address: 2F5D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0046 second address: 2A004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A04A3 second address: 2A04A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0638 second address: 2A063C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A063C second address: 2A0646 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F62B07F1C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0646 second address: 2A064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A064C second address: 2A0650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0650 second address: 2A0695 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F62B07F3376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jc 00007F62B07F3394h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jbe 00007F62B07F3376h 0x00000020 ja 00007F62B07F3376h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0695 second address: 2A06E6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b jmp 00007F62B07F1C66h 0x00000010 pushad 0x00000011 je 00007F62B07F1C56h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jng 00007F62B07F1C60h 0x00000025 pop eax 0x00000026 movzx edx, bx 0x00000029 call 00007F62B07F1C59h 0x0000002e pushad 0x0000002f push edi 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A06E6 second address: 2A06FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F62B07F3382h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A06FF second address: 2A0703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0703 second address: 2A0711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0711 second address: 2A0715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0715 second address: 2A071B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A071B second address: 2A074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jmp 00007F62B07F1C67h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A074D second address: 2A0772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F62B07F3387h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0772 second address: 2A0790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F62B07F1C56h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0790 second address: 2A07AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F3389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A07AD second address: 2A07B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A07B2 second address: 2A07B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0B73 second address: 2A0B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0B78 second address: 2A0B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F62B07F337Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0B87 second address: 2A0B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0FBE second address: 2A0FC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0FC4 second address: 2A0FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0FC8 second address: 2A0FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A138D second address: 2A1420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F62B07F1C5Fh 0x0000000c nop 0x0000000d jmp 00007F62B07F1C61h 0x00000012 lea eax, dword ptr [ebp+12485E04h] 0x00000018 movsx ecx, dx 0x0000001b push eax 0x0000001c pushad 0x0000001d push ebx 0x0000001e pushad 0x0000001f popad 0x00000020 pop ebx 0x00000021 push edi 0x00000022 jmp 00007F62B07F1C61h 0x00000027 pop edi 0x00000028 popad 0x00000029 mov dword ptr [esp], eax 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F62B07F1C58h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 xor edi, 33AD5119h 0x0000004c jmp 00007F62B07F1C60h 0x00000051 lea eax, dword ptr [ebp+12485DC0h] 0x00000057 add edi, 33E554A3h 0x0000005d nop 0x0000005e pushad 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1420 second address: 2872E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F62B07F3385h 0x0000000b jmp 00007F62B07F337Fh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F62B07F3383h 0x00000017 nop 0x00000018 jmp 00007F62B07F337Ch 0x0000001d call dword ptr [ebp+122D2F43h] 0x00000023 jp 00007F62B07F338Eh 0x00000029 je 00007F62B07F3388h 0x0000002f jmp 00007F62B07F3380h 0x00000034 pushad 0x00000035 popad 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c jc 00007F62B07F3376h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F5FFA second address: 2F6000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F6000 second address: 2F600E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnc 00007F62B07F3376h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F6560 second address: 2F6574 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F62B07F1C56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d jne 00007F62B07F1C56h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F6574 second address: 2F6580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F62B07F3376h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F6703 second address: 2F6707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2F6707 second address: 2F670D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FA357 second address: 2FA35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FA5FD second address: 2FA603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FCE99 second address: 2FCE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FCA42 second address: 2FCA46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2FCA46 second address: 2FCA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F62B07F1C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007F62B07F1C5Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30185E second address: 301862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301862 second address: 30187A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007F62B07F1C56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F62B07F1C5Ch 0x00000012 jl 00007F62B07F1C56h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301BAA second address: 301BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301EB6 second address: 301EBB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 301EBB second address: 301EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306AC3 second address: 306AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306AC7 second address: 306ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306ACB second address: 306AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C5Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F62B07F1C5Dh 0x00000010 pushad 0x00000011 jno 00007F62B07F1C56h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306C7A second address: 306C84 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F62B07F337Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0D97 second address: 2A0DA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F62B07F1C56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A0E8B second address: 2A0EA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F62B07F3380h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306F87 second address: 306FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C5Ch 0x00000009 jnc 00007F62B07F1C56h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jl 00007F62B07F1C6Eh 0x00000018 jmp 00007F62B07F1C62h 0x0000001d jnl 00007F62B07F1C56h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306FBE second address: 306FF1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F62B07F3382h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007F62B07F3388h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 306FF1 second address: 307004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jbe 00007F62B07F1C56h 0x0000000c js 00007F62B07F1C56h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30BBF4 second address: 30BBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30BBFA second address: 30BBFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30C465 second address: 30C481 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F62B07F3380h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30C481 second address: 30C48E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 30C48E second address: 30C494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314BB6 second address: 314BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314BBA second address: 314BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314BC0 second address: 314C30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F62B07F1C56h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007F62B07F1C62h 0x00000012 jmp 00007F62B07F1C61h 0x00000017 jmp 00007F62B07F1C64h 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 pushad 0x00000021 jmp 00007F62B07F1C5Dh 0x00000026 jng 00007F62B07F1C56h 0x0000002c popad 0x0000002d pushad 0x0000002e jmp 00007F62B07F1C5Ah 0x00000033 jnl 00007F62B07F1C56h 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314C30 second address: 314C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 314C39 second address: 314C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A1181 second address: 2A1185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3140B4 second address: 3140E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C61h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F62B07F1C63h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3140E2 second address: 3140EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3140EB second address: 3140EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3140EF second address: 3140F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3140F3 second address: 31411F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C5Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jo 00007F62B07F1C6Bh 0x00000012 jmp 00007F62B07F1C5Dh 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31D59E second address: 31D5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31D5A2 second address: 31D5D6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F62B07F1C61h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F62B07F1C65h 0x00000010 jnp 00007F62B07F1C5Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31C6AA second address: 31C6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 31C6B1 second address: 31C72E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F62B07F1C68h 0x00000008 jp 00007F62B07F1C56h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F62B07F1C68h 0x0000001c jbe 00007F62B07F1C56h 0x00000022 popad 0x00000023 pushad 0x00000024 jmp 00007F62B07F1C62h 0x00000029 jmp 00007F62B07F1C65h 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 popad 0x00000031 pushad 0x00000032 jg 00007F62B07F1C56h 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325EE7 second address: 325EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 25B5BA second address: 25B5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 324230 second address: 324257 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F62B07F3376h 0x00000008 jnc 00007F62B07F3376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jmp 00007F62B07F337Bh 0x00000016 pop esi 0x00000017 push edx 0x00000018 push ebx 0x00000019 jne 00007F62B07F3376h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32465B second address: 32465F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 324A78 second address: 324A7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 324E8E second address: 324E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 324E92 second address: 324EBF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F62B07F3376h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jnl 00007F62B07F3376h 0x00000013 jmp 00007F62B07F3389h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 324EBF second address: 324ECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325007 second address: 325044 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F62B07F33A5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325044 second address: 325050 instructions: 0x00000000 rdtsc 0x00000002 je 00007F62B07F1C5Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325050 second address: 325057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325057 second address: 325069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F62B07F1C56h 0x0000000a jnl 00007F62B07F1C56h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 325DA0 second address: 325DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 323D69 second address: 323D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C65h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 323D84 second address: 323DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F62B07F3384h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F62B07F3376h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 323DAD second address: 323DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32C32A second address: 32C33A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F62B07F3376h 0x00000008 jc 00007F62B07F3376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32C47E second address: 32C483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 32C483 second address: 32C4D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F3380h 0x00000009 jmp 00007F62B07F3380h 0x0000000e popad 0x0000000f pushad 0x00000010 jp 00007F62B07F3376h 0x00000016 jnl 00007F62B07F3376h 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F62B07F3386h 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 push edi 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 338B45 second address: 338B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33B2B1 second address: 33B2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 je 00007F62B07F3376h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F62B07F3381h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 push ecx 0x00000018 jns 00007F62B07F3376h 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33B2DC second address: 33B2F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F62B07F1C66h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33F38B second address: 33F38F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 33F38F second address: 33F3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F62B07F1C63h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340AFE second address: 340B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F337Fh 0x00000009 popad 0x0000000a jng 00007F62B07F3382h 0x00000010 jnl 00007F62B07F3376h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340B20 second address: 340B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340B27 second address: 340B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jo 00007F62B07F3376h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340B3A second address: 340B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340B40 second address: 340B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F62B07F3376h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F62B07F3388h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340B67 second address: 340B73 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340B73 second address: 340B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 340B77 second address: 340B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343CE6 second address: 343CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343CEC second address: 343CF6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 343CF6 second address: 343CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 348906 second address: 34891B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C61h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34891B second address: 34891F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34891F second address: 348927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 348927 second address: 348943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F62B07F3385h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 348943 second address: 34896D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jg 00007F62B07F1C56h 0x0000000f jmp 00007F62B07F1C69h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34896D second address: 348975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34745D second address: 347465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A05F second address: 34A065 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A065 second address: 34A06A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A06A second address: 34A073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A073 second address: 34A079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A079 second address: 34A07D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A07D second address: 34A0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C5Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F62B07F1C5Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 34A0A1 second address: 34A0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F62B07F3382h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 351718 second address: 351744 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F62B07F1C61h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F62B07F1C56h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 ja 00007F62B07F1C56h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35A198 second address: 35A19C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35A433 second address: 35A443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35A443 second address: 35A447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35A6DD second address: 35A707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F62B07F1C56h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jns 00007F62B07F1C56h 0x00000012 popad 0x00000013 pop ecx 0x00000014 jne 00007F62B07F1C6Ch 0x0000001a push ecx 0x0000001b jno 00007F62B07F1C56h 0x00000021 pop ecx 0x00000022 jne 00007F62B07F1C5Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35A80E second address: 35A825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F62B07F3381h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35A825 second address: 35A829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35A829 second address: 35A869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F62B07F337Ch 0x0000000c jo 00007F62B07F3376h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jmp 00007F62B07F3380h 0x0000001e pop esi 0x0000001f jp 00007F62B07F3386h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 35EF2D second address: 35EF5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F62B07F1C67h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 jmp 00007F62B07F1C5Bh 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 366B01 second address: 366B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F62B07F3385h 0x0000000b pop esi 0x0000000c jnp 00007F62B07F3398h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F62B07F3384h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 366B39 second address: 366B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37866F second address: 378673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37AC3F second address: 37AC43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37AC43 second address: 37AC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F62B07F3384h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37ADBF second address: 37ADCE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F62B07F1C56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37ADCE second address: 37ADD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37ADD6 second address: 37ADDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 37ADDF second address: 37ADE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384C38 second address: 384C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384C3C second address: 384C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384C42 second address: 384C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F62B07F1C5Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384C56 second address: 384C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384C5C second address: 384C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F62B07F1C67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 383E6F second address: 383E92 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F62B07F3376h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F62B07F3380h 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384743 second address: 384747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384747 second address: 384750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 384750 second address: 384756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 388240 second address: 38824F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F62B07F3376h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38824F second address: 388253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 388253 second address: 38825F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 38825F second address: 388263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 387C4E second address: 387C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F62B07F3376h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 387C59 second address: 387C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F62B07F1C69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 392493 second address: 3924A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F62B07F3376h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3924A3 second address: 3924A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3924A7 second address: 3924AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 387E2D second address: 387E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4724 second address: 2A473F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F62B07F337Ch 0x00000008 jnc 00007F62B07F3376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 js 00007F62B07F3376h 0x0000001a pop edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A473F second address: 2A4744 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A491D second address: 2A4923 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 2A4923 second address: 2A4939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F62B07F1C62h 0x00000009 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EDC86 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EDD49 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EDC8C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 2999C0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 299695 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 2C2C8F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 33157C instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 48C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4A70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6A70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027200A rdtsc

0_2_0027200A

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7412

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0027200A rdtsc

0_2_0027200A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_000EB7E6 LdrInitializeThunk,

0_2_000EB7E6

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: /Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.mic	file.exe, 00000000.00000002.2001990286.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566417
Start date and time:	2024-12-02 07:36:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.32.238.219, 23.32.238.192, 23.32.238.195, 23.32.238.179, 23.32.238.226, 23.32.238.169, 23.32.238.240, 23.32.238.232, 23.32.238.185
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.470447667858611
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'848'256 bytes
MD5:	8f9d86f076e12b28ada6e9bad6cee8c3
SHA1:	509d66d54d5f84ab1be7cfb5a90f3118d046c7cd
SHA256:	e5fe55593ab358b791df56f5047f6a3b1563fa45dd12e5e5dd249a3a5b2534d2
SHA512:	e49692d7be331a93a9d919dcbc9b7171ff9eb8370d2ddcead955aeb2c0423e00b04a2c6e9b5969541b5a8e97c0534462646ba3d44bef568f3b2dd31db54b8699
SSDEEP:	49152:rnLrCGixtFgGyVFEFOtHlddl+6YdKpeRr:rnLrCGixtFcVFPpve6Lpm
TLSH:	94D55CA1B508B5CFD48E2774896BCD47995D43B90B2048C3BE6CB4BAFD63CC126B6D24
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ....................... ,.......,...`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6be000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F62B0E9C33Ah
andps xmm5, dqword ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [0200000Ah], al
or al, byte ptr [eax]
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax+000000FEh], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	66fb4e06464105fea56e697292579013	False	0.9320746527777778	data	7.781134092286406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tlfljndr	0xa000	0x2b2000	0x2b1600	28d5a428f18f02e69ba53e77f2d002fe	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pcyievjx	0x2bc000	0x2000	0x400	e90a31fa4e502591c6600e4f1232242e	False	0.787109375	data	6.1746952320115085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2be000	0x4000	0x2200	38fe55b9189d3e29b40eec8fa093dcea	False	0.060776654411764705	DOS executable (COM)	0.784386460972728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	01:37:13
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe0000
File size:	2'848'256 bytes
MD5 hash:	8F9D86F076E12B28ADA6E9BAD6CEE8C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	20.5%
Signature Coverage:	6.8%
Total number of Nodes:	44
Total number of Limit Nodes:	2

Executed Functions

Function 0027200A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 002720B2
CreateFileA.KERNELBASE(3D02AE62), ref: 00272179

Strings

8"<@, xrefs: 0027214E

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateFile
String ID: 8"<@
API String ID: 823142352-708683187
Opcode ID: 09c9e61ec8f046e1290f3d7a8bf9b31c032e0d42aa7b00fb122f855111a6d577
Instruction ID: 9714a918c67f7e5d4c6a70f5d0d2630194abb5ddbf3518250d446f36ed01ea07
Opcode Fuzzy Hash: 09c9e61ec8f046e1290f3d7a8bf9b31c032e0d42aa7b00fb122f855111a6d577
Instruction Fuzzy Hash: B12109B2518216FEF7049F209D52BFF7BACEB91730F60842EF949D6542D2B10D288634

Function 000EB7E6 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

!!iH, xrefs: 000EB956

Memory Dump Source

Source File: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID:
String ID: !!iH
API String ID: 0-3430752988
Opcode ID: 78615e8cb8b1f17912f1fede1cb30bd981a92e797b455d7dcb2346e40e2a4011
Instruction ID: 0caaca9ddb6153af61ac3ddcbe784090f6bed256120dcc0af9954ef570d7c61f
Opcode Fuzzy Hash: 78615e8cb8b1f17912f1fede1cb30bd981a92e797b455d7dcb2346e40e2a4011
Instruction Fuzzy Hash: 30E08C721445CA8ECB269FA1890179BBA0DEB41700F600114EA01AAA4BCF2D5811CBA6

Function 0027206C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 002720B2
CreateFileA.KERNELBASE(3D02AE62), ref: 00272179

Strings

8"<@, xrefs: 0027214E

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateFile
String ID: 8"<@
API String ID: 823142352-708683187
Opcode ID: dbabe22b3f4c43ed094e28996ad3aafef789ce536bbe35605195a0bcd36d0048
Instruction ID: 7e780685757966cf1d11a69a909e5e76b1bc85121253670c17b658dcae89a2aa
Opcode Fuzzy Hash: dbabe22b3f4c43ed094e28996ad3aafef789ce536bbe35605195a0bcd36d0048
Instruction Fuzzy Hash: AC210AB601C256AFE7049F209D62AFF7BA8EB85734F60841EF949D6542D2B10E188674

Function 00272092 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 002720B2
CreateFileA.KERNELBASE(3D02AE62), ref: 00272179

Strings

8"<@, xrefs: 0027214E

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateFile
String ID: 8"<@
API String ID: 823142352-708683187
Opcode ID: 88b304193f58613e2ff81cfabb5124205ececd3cf424514155e3bff057cd6c68
Instruction ID: d57b15770018bdc81ee0895a8e0059c2fdc7b15fd9ac96a25628ab8b72b1e6b1
Opcode Fuzzy Hash: 88b304193f58613e2ff81cfabb5124205ececd3cf424514155e3bff057cd6c68
Instruction Fuzzy Hash: B12128B315C216AEF704DF10A952AFF7BA8EB81330F60842EF849C5541D2B10D288739

Function 0027E29C Relevance: 4.6, APIs: 3, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0027FE42
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0027FE69
GetNativeSystemInfo.KERNELBASE(?), ref: 0027FEC0

Memory Dump Source

Source File: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: 676b338f0fa894665f85c33447966003e2e87cd680c2c2b03ee35115f170e4a6
Instruction ID: 77860a5855897b3f18110d46d160f7cd1cc8c8fc6bdb9b4dac994c29651607d5
Opcode Fuzzy Hash: 676b338f0fa894665f85c33447966003e2e87cd680c2c2b03ee35115f170e4a6
Instruction Fuzzy Hash: D721267211410F9FEF11DF60C948BEE3AA9EB19310F104526E90986E91E7B64CB8DB58

Function 002720D3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(3D02AE62), ref: 00272179

Strings

8"<@, xrefs: 0027214E

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateFile
String ID: 8"<@
API String ID: 823142352-708683187
Opcode ID: 1b8a47998f2b7bbdfee1a816b61dadcb438724f5422c27f7f3f81aabcb58aa05
Instruction ID: c6dfc51de02efe0133f6f589cc667d7e1a93ad3ae2a777d406248106b0f867e5
Opcode Fuzzy Hash: 1b8a47998f2b7bbdfee1a816b61dadcb438724f5422c27f7f3f81aabcb58aa05
Instruction Fuzzy Hash: 2511E7B355C315BEF7049F509851FBB77A8EB40734F60841EF94A96582D2F10D188B69

Function 00272112 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(3D02AE62), ref: 00272179

Strings

8"<@, xrefs: 0027214E

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateFile
String ID: 8"<@
API String ID: 823142352-708683187
Opcode ID: c5e38f71e34a26b32d3820841bc68a30ab1acea2be0feb816fec7d01e8492500
Instruction ID: 5a34ddda135cfe69c219ea6b7174e4458cdd7820467b46c47bb3fd0c4a026195
Opcode Fuzzy Hash: c5e38f71e34a26b32d3820841bc68a30ab1acea2be0feb816fec7d01e8492500
Instruction Fuzzy Hash: F901417344C356BFEB009F609C51BFB7728EF41234F20842AE84596182C2A10E288626

Function 0026F0CB Relevance: 1.6, APIs: 1, Instructions: 100
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0026F0CB

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 06a86756e9fb9d521397ec015fa6a67d58bc6ca2d70704a43f9d5aed9719f535
Instruction ID: 4ccdcd622dea526a33ee82fa57bf78e3f97d3b151851544fca4289d88a0af99f
Opcode Fuzzy Hash: 06a86756e9fb9d521397ec015fa6a67d58bc6ca2d70704a43f9d5aed9719f535
Instruction Fuzzy Hash: DB3114B251D200EFD70AAF19D8816AEFBF5EF98720F06482DE6D583610D3314890CB97

Function 00271E45 Relevance: 1.6, APIs: 1, Instructions: 87
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?), ref: 00271EA7

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28b94ff8781a793992f003428811164842767d74299501202ec0653bfcd05232
Instruction ID: 4c90cc3866d0430028a4ca801e13f292149a3019ac9be34d2bb780fef2dbe4cc
Opcode Fuzzy Hash: 28b94ff8781a793992f003428811164842767d74299501202ec0653bfcd05232
Instruction Fuzzy Hash: 8911E4B25582657EF30299281A21AFB7B6CDF92330F30C43AFD49D1843D2A00E794635

Function 048C0D43 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 048C0DCD

Memory Dump Source

Source File: 00000000.00000002.2003428056.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 62158dfcf75b71e1a5fc44322de916c443e6a2abafd79dd2fd02aeeffb22f406
Instruction ID: 647ffc0dab3f6ad6ddbd9916c36a73861e0545f8b6ebbdafe974363dc8f0c619
Opcode Fuzzy Hash: 62158dfcf75b71e1a5fc44322de916c443e6a2abafd79dd2fd02aeeffb22f406
Instruction Fuzzy Hash: CE2165B2C00218DFCB50CF99D884ADEFBF5EB88320F14861AD908AB204C734A540CBA5

Function 048C0D48 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 048C0DCD

Memory Dump Source

Source File: 00000000.00000002.2003428056.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: cef28fad4b52a056a25f333744a82c25fe1a48d3220e8920ac948415474343cf
Instruction ID: fe9e2675b2820c7e3f14853ffbf7f1e57d4fd3316b6fafd13eca5725513df1e5
Opcode Fuzzy Hash: cef28fad4b52a056a25f333744a82c25fe1a48d3220e8920ac948415474343cf
Instruction Fuzzy Hash: E42113B6C00219DFCB50CF99D884ADEFBF5EB89320F14865AD908AB244D774A544CBA5

Function 048C1509 Relevance: 1.6, APIs: 1, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 048C1580

Memory Dump Source

Source File: 00000000.00000002.2003428056.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 8e51562d8bb4d8debf5407a864cda97513b08c6e28f43f1233fbe4318388a3a2
Instruction ID: be694cdcadea87ee72271feadf8d00ec8d45ba2a1b3b0570705f3eecb75c051b
Opcode Fuzzy Hash: 8e51562d8bb4d8debf5407a864cda97513b08c6e28f43f1233fbe4318388a3a2
Instruction Fuzzy Hash: 6C2114B1D002499FDB10CF9AC985BDEFBF4EB48320F10852AE559E3251D778A644CFA5

Function 048C1510 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 048C1580

Memory Dump Source

Source File: 00000000.00000002.2003428056.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: d0e96e75e6a7c0d5b77c43b64ef1c971bb67c87f0ed8cd8a011ea6c31e9107b9
Instruction ID: d39cd35374a67e39d3fd5314801a524901138edba52f2a0d6915d9bb109a7bed
Opcode Fuzzy Hash: d0e96e75e6a7c0d5b77c43b64ef1c971bb67c87f0ed8cd8a011ea6c31e9107b9
Instruction Fuzzy Hash: 3911E4B1D002499FDB10CF9AC985BDEFBF4EB48320F14842AE559A3251D778A644CFA5

Function 048C1301 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 048C1367

Memory Dump Source

Source File: 00000000.00000002.2003428056.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 3b5c85d95d7167f7e3e648be8263149bc8f58b3a65797217037d26bb0e999a70
Instruction ID: b4b71ff56df7f650e39c788066cf0367d7380c3063064a276c43285cb07619af
Opcode Fuzzy Hash: 3b5c85d95d7167f7e3e648be8263149bc8f58b3a65797217037d26bb0e999a70
Instruction Fuzzy Hash: F11116B2800249CFDB10CFAAD585BDEFFF8EB48324F24855AD558A3641C778A944CFA5

Function 048C1308 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 048C1367

Memory Dump Source

Source File: 00000000.00000002.2003428056.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48c0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 533b07db42903fd3f217748554cf3f301ab6bf063559d8c347ee0213d7454aa8
Instruction ID: 64ed9e9bfc93ab7b9f4a615ea4fd905c978169591ad7d25b21a0db9979c1cad5
Opcode Fuzzy Hash: 533b07db42903fd3f217748554cf3f301ab6bf063559d8c347ee0213d7454aa8
Instruction Fuzzy Hash: 9D1136B1800249CFDB10CFAAC985BDEFBF8EB48324F24845AD558A3640C778A544CFA5

Function 00271E70 Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 00271EA7

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8811e2d758887e0f7ecb2c847cf6f229e713bb1f7d796598c6a129c3e34c2bb6
Instruction ID: 2a5bf5715edfce370364e551291a4e2c7a011f100f7c612323a5f44dfdd547fc
Opcode Fuzzy Hash: 8811e2d758887e0f7ecb2c847cf6f229e713bb1f7d796598c6a129c3e34c2bb6
Instruction Fuzzy Hash: 50F0E9F2869206AEF7158E694A159BB77ACDE95334B30C43EFC49C1841E1B10E745A35

Function 00271E9D Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 00271EA7

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b2acdf90dec97c1d88c4c2bca19926c8e70ab54778025613f9d53b7d1bea4502
Instruction ID: 22f2afd6b14df1d234f68387e56fff93f7fb6b59fa5aa306c73be5b80df6efd2
Opcode Fuzzy Hash: b2acdf90dec97c1d88c4c2bca19926c8e70ab54778025613f9d53b7d1bea4502
Instruction Fuzzy Hash: F7F0A7F2569215AEF7418F748E116FB777CEE92320B34842EEC49C1802E2714E754735

Function 002AE040 Relevance: 1.5, APIs: 1, Instructions: 26threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000), ref: 002AE074

Memory Dump Source

Source File: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 63c2fab0e3b25d0c811868196b66143404c7d2ac3782b6324d3c9dfb2a806960
Instruction ID: 80838a9f1b47306a6c014cf42593686f4c0be229447f3db1551add8ac673675e
Opcode Fuzzy Hash: 63c2fab0e3b25d0c811868196b66143404c7d2ac3782b6324d3c9dfb2a806960
Instruction Fuzzy Hash: CFE07DBB2542173ED9105F7C0C88B1F3A095B0AF73FA18A01F112AE4C1CDC708111739

Function 002AE030 Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000), ref: 002AE074

Memory Dump Source

Source File: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 3d853ef9eb8c7d93109474954e81a239a4d7c7210b9a90cd31ded71c681f61cc
Instruction ID: ad125bc15111a013c1626d53a4ec8d75dda9b35b42b70d216684252d5f8605f1
Opcode Fuzzy Hash: 3d853ef9eb8c7d93109474954e81a239a4d7c7210b9a90cd31ded71c681f61cc
Instruction Fuzzy Hash: 8CE026B72A422B7EEA114F640C59B6F3E189B06FB2F228400F2056E0C2CAD54C125774

Function 002AE059 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000), ref: 002AE074

Memory Dump Source

Source File: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ffded0053f4eceacea38fe3d69448048c4bb4e1c3adc8926986a7c2025380c4f
Instruction ID: d730e16299e94fa2b03618921b93ffe1dcfc57ee56dd6a19e72d6a3bb3d4a11e
Opcode Fuzzy Hash: ffded0053f4eceacea38fe3d69448048c4bb4e1c3adc8926986a7c2025380c4f
Instruction Fuzzy Hash: 10E0C27B24062AAFDA115F688C95F6E7A649B09F62F014418F104EB8C2CA9508515765

Function 002AEF59 Relevance: 1.5, APIs: 1, Instructions: 9threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 002AEF69

Memory Dump Source

Source File: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 866130079e7e8ea92f1edab588bfca00e72d0e121c26a0b0ea3e02a15ca24bce
Instruction ID: 82bd376a81bb12de1611c1463aaca6333a9178e5cbf93f9cdbe25cdefcb8797f
Opcode Fuzzy Hash: 866130079e7e8ea92f1edab588bfca00e72d0e121c26a0b0ea3e02a15ca24bce
Instruction Fuzzy Hash: 2EC080714587A97EDB159F70481E74E7F40EF16211F07458DD4415B4C3DE254C14CB0C

Function 002916C0 Relevance: 1.4, APIs: 1, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 002916C0

Memory Dump Source

Source File: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f3c1fc1ce455518ccaf942e8c94415d4eb4b8e13ddbb5915727a628156e5b649
Instruction ID: d48df7189cb71a45b16d0320c33f16bd94a7bdec225d742059fc9e9adb7f65fc
Opcode Fuzzy Hash: f3c1fc1ce455518ccaf942e8c94415d4eb4b8e13ddbb5915727a628156e5b649
Instruction Fuzzy Hash: B8313BB281D700EFD301AF19DC806AAFBE9FF99721F16492EE6C483610D67598408B93

Function 00292E5A Relevance: 1.4, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00292E5A

Memory Dump Source

Source File: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0c49d8a6d158c099257eed27623b413fc34641afd7a2efd893efb2d42623f299
Instruction ID: 61a0345a72b0c5778a1503d119d9b01b0b6d4b4ffc3ef2dbbcbba0a9fe2ef7e0
Opcode Fuzzy Hash: 0c49d8a6d158c099257eed27623b413fc34641afd7a2efd893efb2d42623f299
Instruction Fuzzy Hash: 743109F241C610AFE756AF18D8857BAFBE4FF08320F16482CE6D982240E77558549B9B

Function 00292FA3 Relevance: 1.3, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00292FA3

Memory Dump Source

Source File: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2b2d894fcfa2a2b4f2f4689ffd4b7b308ffbef4793a11f32ba19bbbc6355b890
Instruction ID: 6906f358ffd72e01cc30766128296ace2078efe95b3f648d5b9dce6a962524f8
Opcode Fuzzy Hash: 2b2d894fcfa2a2b4f2f4689ffd4b7b308ffbef4793a11f32ba19bbbc6355b890
Instruction Fuzzy Hash: 85E059FB29C1617C740295853F24EF7A76EE0D2771331882BF946E0D0AE7850A5D2135

Function 000EEF2D Relevance: 1.3, APIs: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 000EEF43

Memory Dump Source

Source File: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a65b6bc2a727ee15601607e9ac060321a900fc8accf2e96bf43920a6f623b174
Instruction ID: 107f74d1314a1f095556f8b9a528cae14a380ee2eb347164a9bdcc8935ff20b6
Opcode Fuzzy Hash: a65b6bc2a727ee15601607e9ac060321a900fc8accf2e96bf43920a6f623b174
Instruction Fuzzy Hash: 8BE08C7550A34AAFE7408FB094585BE37F4FF50326F204E1AF815C2180D7314C808A16

Function 000EECC3 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 000EECC8

Memory Dump Source

Source File: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 87b618d510aff5c3d688572b2652367fdaf7659731267114a6c3583939d6eeec
Instruction ID: 64215c75736b4ac3ae48cf3d06774cf7b0544cac2eac7cf4f62f055125351d4d
Opcode Fuzzy Hash: 87b618d510aff5c3d688572b2652367fdaf7659731267114a6c3583939d6eeec
Instruction Fuzzy Hash: 7CD0CAB4408A888EEB007F3492892AEBAE0EF00305F01043CE8C685280E2312CA8CA43

Non-executed Functions

Function 002741FE Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

LB[_, xrefs: 002742DC
{Gb?, xrefs: 00274285

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID:
String ID: LB[_${Gb?
API String ID: 0-1964652358
Opcode ID: 175029fe891b9fcfa31d7f8fb69868bc8bff8e106fadd78c3a14c6e0c3bd3c52
Instruction ID: e2c159357de0e46ac9a668f16883b6b600a48864ddbb7b1738af69f2146f6b55
Opcode Fuzzy Hash: 175029fe891b9fcfa31d7f8fb69868bc8bff8e106fadd78c3a14c6e0c3bd3c52
Instruction Fuzzy Hash: A65159F353C101EBD3047E25EC81A7ABBDAEBD5764F36C92EF6CA82604E77044209652

Function 000F58FB Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca16954e37454c2b971e6d5278d07f0cd2cdf831d00ddda88d16673a59d9e2e3
Instruction ID: 26f2e408ddeeabcac22154263b8c3d78e176bd65a4e64cfdfc2877b6ea75af14
Opcode Fuzzy Hash: ca16954e37454c2b971e6d5278d07f0cd2cdf831d00ddda88d16673a59d9e2e3
Instruction Fuzzy Hash: 69B111F3F016614BF3054A34CCA43627B92DB96321F2F42B98B589B3C6D93E5D0A9384

Function 0038C5F4 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd8bc1f6532321752e2a64ae3f55bde44e42fcc41b76c2e7f328ff49f6a078d
Instruction ID: af765c6e85853acd8715d2d980fcbeaabd3f29f711a8527e01e829b4a873e922
Opcode Fuzzy Hash: 1fd8bc1f6532321752e2a64ae3f55bde44e42fcc41b76c2e7f328ff49f6a078d
Instruction Fuzzy Hash: 6A4106B352C700DFC6023A2A9C9443AB7EDEF95320F3B697ED5C693A00D671594197A3

Function 0026FDFA Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60971072dbde5f07ac3179fd8abfbe8d82865522ff41e71b95c34bfd8632dfe9
Instruction ID: 0d5d636633ca45a3b8bf0430affefe94514f5bd4b2b518afc07fb9750eab27ed
Opcode Fuzzy Hash: 60971072dbde5f07ac3179fd8abfbe8d82865522ff41e71b95c34bfd8632dfe9
Instruction Fuzzy Hash: C5411AB251C3059FE709BF68E88267AFBE8FF18310F15092DE6C5C2211D6759890DB9B

Function 0026FE11 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2000928919.000000000026E000.00000040.00000001.01000000.00000003.sdmp, Offset: 000E0000, based on PE: true

Associated: 00000000.00000002.2000680955.00000000000E0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000701578.00000000000E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000718525.00000000000E6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000734709.00000000000EA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000754034.00000000000F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000857044.0000000000256000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000877491.0000000000258000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000898361.000000000026C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000914027.000000000026D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000928919.000000000027A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2000972496.000000000027E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001031296.0000000000280000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001052000.000000000028D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001068561.000000000028F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001083643.0000000000290000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001099409.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001120207.00000000002A8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001155820.00000000002AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001172321.00000000002B3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001189811.00000000002B7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001203856.00000000002B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001219902.00000000002BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001236339.00000000002BE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001251983.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001273130.00000000002CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001291361.00000000002CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001308641.00000000002CC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001325203.00000000002CF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001343869.00000000002E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001359746.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001374645.00000000002ED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001390889.00000000002F3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001405819.00000000002F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001423025.00000000002F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001440483.0000000000305000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001456409.0000000000308000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001472974.0000000000314000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001488702.000000000031A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001503875.000000000031B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001517438.000000000031E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001533855.0000000000325000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001548586.0000000000327000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001566525.0000000000335000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001584456.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001601531.000000000033D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001618345.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001745767.0000000000384000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001763411.0000000000385000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.0000000000386000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001780905.000000000038E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001815584.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2001830460.000000000039E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96408fec012608c2bf6b017d337015b58bd19b38150bf03f06a4382fe095d728
Instruction ID: 0f720ddd70b8366df12de1669ed5a7343b34597b470e79af777c74be5cadd39b
Opcode Fuzzy Hash: 96408fec012608c2bf6b017d337015b58bd19b38150bf03f06a4382fe095d728
Instruction Fuzzy Hash: 8841E7B151C3059FE709BF68D88266AFBE8FF18310F16492DE6C582210DA759890DB9B

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7264, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7264, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 0027200A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
fileCOMMON

Function 0027206C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
fileCOMMON

Function 00272092 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89
fileCOMMON

Function 0027E29C Relevance: 4.6, APIs: 3, Instructions: 67
registryCOMMON

Function 002720D3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
fileCOMMON

Function 00272112 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
fileCOMMON

Function 0026F0CB Relevance: 1.6, APIs: 1, Instructions: 100
libraryCOMMON

Function 00271E45 Relevance: 1.6, APIs: 1, Instructions: 87
fileCOMMON

Function 048C0D43 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 048C0D48 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 048C1509 Relevance: 1.6, APIs: 1, Instructions: 56
serviceCOMMON

Function 048C1510 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Function 048C1301 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 048C1308 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON