Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542945
MD5:	2d0218072ae23eb7b7ec78dfdec917ca
SHA1:	cff62e0bc78dd1a196ac01137dc87117c93c5804
SHA256:	3110a198fe21039ba773c8228b43ec38dfd3927a52012fddad5131c833bcd62a
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SIDT)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2D0218072AE23EB7B7EC78DFDEC917CA)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1708553652.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmp

Source: file.exe, 00000000.00000002.1843308100.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://go.microsoft.c

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060687E	0_2_0060687E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048DE62	0_2_0048DE62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060FEFF	0_2_0060FEFF

Source: file.exe, 00000000.00000000.1694888596.0000000000486000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04E815D0 ChangeServiceConfigA,

0_2_04E815D0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2745344 > 1048576

Source: file.exe

Static PE information: Raw size of kfuwxpfu is bigger than: 0x100000 < 0x298400

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.480000.0.unpack :EW;.rsrc:W;.idata :W;kfuwxpfu:EW;hpvretvg:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2a3ff7 should be: 0x2a172e

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: kfuwxpfu
Source: file.exe	Static PE information: section name: hpvretvg
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048F0E2 push eax; mov dword ptr [esp], 67AF4A95h	0_2_0048FA2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00613525 push 51AEE011h; mov dword ptr [esp], ebx	0_2_006143AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00606861 push eax; mov dword ptr [esp], 77BFA581h	0_2_0060689F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00606861 push edx; mov dword ptr [esp], ecx	0_2_006068C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00606861 push ecx; mov dword ptr [esp], ebp	0_2_006068D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00606861 push esi; mov dword ptr [esp], ebx	0_2_0060691E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048EA35 push edi; mov dword ptr [esp], ebx	0_2_0048F478
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049104C push 54ACACC4h; mov dword ptr [esp], ecx	0_2_004928AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061C064 push ecx; mov dword ptr [esp], esp	0_2_0061C888
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061C064 push 3A0B4E3Eh; mov dword ptr [esp], esi	0_2_0061C8A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061C064 push edi; mov dword ptr [esp], ebp	0_2_0061C8AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061B069 push 3D2412F6h; mov dword ptr [esp], edx	0_2_0061B304
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061406C push esi; mov dword ptr [esp], ecx	0_2_00614080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00608028 push 15246836h; mov dword ptr [esp], esi	0_2_0060802D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00608028 push 0B670A0Ch; mov dword ptr [esp], eax	0_2_0060803F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061C02A push 4CEAD345h; mov dword ptr [esp], ebx	0_2_0061C505
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00492013 push 27C89B1Fh; mov dword ptr [esp], ecx	0_2_00492DC2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00492013 push 6330AF4Eh; mov dword ptr [esp], edx	0_2_00492DDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493022 push eax; mov dword ptr [esp], edi	0_2_0049464B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048C027 push edi; mov dword ptr [esp], ecx	0_2_0048CAE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491035 push esi; mov dword ptr [esp], BC31A169h	0_2_00491036
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491035 push ecx; mov dword ptr [esp], esi	0_2_004910BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491035 push eax; mov dword ptr [esp], ecx	0_2_0049213C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00491035 push ecx; mov dword ptr [esp], esi	0_2_00493C58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061501C push 35FD2691h; mov dword ptr [esp], esi	0_2_0061502A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061501C push edx; mov dword ptr [esp], 4F51EE37h	0_2_00615031
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006180E4 push 1828C840h; mov dword ptr [esp], ebp	0_2_00618431
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048C0D3 push 71987199h; mov dword ptr [esp], ebp	0_2_0048C0DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048C0D3 push esi; mov dword ptr [esp], ebx	0_2_0048C5B5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006190CD push edx; mov dword ptr [esp], 1BA9A076h	0_2_00619F2E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006140CF push 4323F8B4h; mov dword ptr [esp], ebp	0_2_006140EA

Source: file.exe

Static PE information: section name: entropy: 7.800225518351562

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F80A8 second address: 5F80AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F80AC second address: 5F80FD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1EE4CA6396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F1EE4CA63B0h 0x00000010 js 00007F1EE4CA63D5h 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F1EE4CA6396h 0x0000001e jmp 00007F1EE4CA63A9h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F80FD second address: 5F8110 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1EE4878186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnl 00007F1EE4878186h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6065B5 second address: 6065BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6065BB second address: 6065BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 606873 second address: 606897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1EE4CA639Ah 0x0000000b popad 0x0000000c jnl 00007F1EE4CA639Eh 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 606B93 second address: 606B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 606D36 second address: 606D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6094CB second address: 6094CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6094CF second address: 60951F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F1EE4CA6398h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D1C84h], edx 0x0000002a push 00000000h 0x0000002c mov cx, dx 0x0000002f call 00007F1EE4CA6399h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F1EE4CA639Bh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60951F second address: 60956F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a jp 00007F1EE4878186h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 ja 00007F1EE4878194h 0x0000001e mov eax, dword ptr [eax] 0x00000020 jmp 00007F1EE4878195h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push esi 0x0000002a push eax 0x0000002b push edx 0x0000002c ja 00007F1EE4878186h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60956F second address: 6095E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pop eax 0x00000008 jmp 00007F1EE4CA63A3h 0x0000000d mov dword ptr [ebp+122D1CD2h], edi 0x00000013 push 00000003h 0x00000015 sub dword ptr [ebp+122D1DC6h], ebx 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F1EE4CA6398h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 jmp 00007F1EE4CA63A2h 0x0000003c mov edx, 1B198900h 0x00000041 push 00000003h 0x00000043 movsx esi, ax 0x00000046 push 5F69AF9Ah 0x0000004b jng 00007F1EE4CA63B1h 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6095E1 second address: 609624 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4878193h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 60965066h 0x00000010 xor di, D738h 0x00000015 lea ebx, dword ptr [ebp+1244F312h] 0x0000001b xor ecx, dword ptr [ebp+122D2E9Bh] 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F1EE4878191h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60983D second address: 6098A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4CA63A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F1EE4CA63A1h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F1EE4CA63A3h 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b jmp 00007F1EE4CA63A4h 0x00000020 jng 00007F1EE4CA6398h 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 mov eax, dword ptr [eax] 0x0000002b push esi 0x0000002c jc 00007F1EE4CA639Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6098A5 second address: 6098CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a jmp 00007F1EE4878197h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F30AE second address: 5F30B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F30B2 second address: 5F30B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 628FF0 second address: 629002 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F1EE4CA63A2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629002 second address: 629008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629008 second address: 629012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629983 second address: 62999D instructions: 0x00000000 rdtsc 0x00000002 js 00007F1EE4878186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1EE487818Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629C6D second address: 629C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629C75 second address: 629C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629C7B second address: 629C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629C82 second address: 629CA9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1EE487818Eh 0x00000008 jc 00007F1EE4878186h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F1EE487818Fh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629CA9 second address: 629CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4CA639Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F1EE4CA639Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629CC5 second address: 629CF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4878195h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1EE4878193h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629CF3 second address: 629CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629FD3 second address: 629FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629FD7 second address: 629FE1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1EE4CA6396h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629FE1 second address: 629FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 629FED second address: 629FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61DDFE second address: 61DE04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61DE04 second address: 61DE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61DE0A second address: 61DE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62AA08 second address: 62AA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F1EE4CA63AAh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1EE4CA63A3h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62AB7E second address: 62AB8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jg 00007F1EE4878186h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62AB8E second address: 62AB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62AB92 second address: 62AB96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62DF5D second address: 62DF61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62C9CC second address: 62C9D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FB730 second address: 5FB738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 632C14 second address: 632C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1EE4878186h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63563E second address: 635682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F1EE4CA63A3h 0x0000000d ja 00007F1EE4CA6396h 0x00000013 jmp 00007F1EE4CA639Ah 0x00000018 jmp 00007F1EE4CA63A5h 0x0000001d popad 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6357B5 second address: 6357BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6357BE second address: 6357C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6357C2 second address: 6357C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6357C6 second address: 6357CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 635ADD second address: 635AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE487818Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 635AF2 second address: 635AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 635AFD second address: 635B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 635DBB second address: 635DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637D7E second address: 637D9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4878199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637E47 second address: 637ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jno 00007F1EE4CA63A4h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push esi 0x00000014 pushad 0x00000015 ja 00007F1EE4CA6396h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jnp 00007F1EE4CA63ACh 0x00000029 jmp 00007F1EE4CA63A6h 0x0000002e pop eax 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007F1EE4CA6398h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 mov esi, eax 0x0000004b push 1EE3320Ah 0x00000050 jo 00007F1EE4CA63B2h 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 637ECB second address: 637ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6381EC second address: 6381F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6383FF second address: 63840C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63840C second address: 63841B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1EE4CA639Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6384BF second address: 6384D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4878193h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6384D6 second address: 6384DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 638A91 second address: 638A9B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1EE4878186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 638A9B second address: 638AB1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1EE4CA6398h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007F1EE4CA6396h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 638AB1 second address: 638AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 638B60 second address: 638B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 638B64 second address: 638B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 638E54 second address: 638E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1EE4CA63A2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639511 second address: 639515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639515 second address: 639524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 639524 second address: 639529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63AEA4 second address: 63AEBA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1EE4CA6396h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63AEBA second address: 63AEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63AEC0 second address: 63AEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63CF4B second address: 63CF55 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1EE4878186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63CF55 second address: 63CF93 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1EE4CA639Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d mov si, di 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+12461F8Fh], eax 0x00000018 xchg eax, ebx 0x00000019 push ebx 0x0000001a push edi 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop edi 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F1EE4CA63A6h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63DB12 second address: 63DB16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63E59A second address: 63E5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63E5A1 second address: 63E5D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE487818Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jg 00007F1EE4878188h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1EE4878198h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63F203 second address: 63F233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F1EE4CA63A9h 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1EE4CA639Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63FC34 second address: 63FC3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63FA6E second address: 63FA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6453D4 second address: 6453DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6464BC second address: 6464C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 645594 second address: 64560C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 nop 0x00000007 mov bx, 365Eh 0x0000000b push dword ptr fs:[00000000h] 0x00000012 call 00007F1EE487818Eh 0x00000017 pushad 0x00000018 call 00007F1EE487818Dh 0x0000001d pop edi 0x0000001e adc ah, FFFFFFD7h 0x00000021 popad 0x00000022 pop edi 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007F1EE4878188h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 mov eax, dword ptr [ebp+122D0D15h] 0x0000004a push FFFFFFFFh 0x0000004c pushad 0x0000004d pushad 0x0000004e xor dword ptr [ebp+124629D8h], ebx 0x00000054 mov si, di 0x00000057 popad 0x00000058 popad 0x00000059 mov bl, ah 0x0000005b nop 0x0000005c pushad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64560C second address: 64562C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jmp 00007F1EE4CA639Fh 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6473E3 second address: 6473F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4878190h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6499BA second address: 6499CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F1EE4CA6396h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6499CC second address: 6499D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6499D1 second address: 6499D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6499D7 second address: 6499DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64B865 second address: 64B86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64ABB8 second address: 64ABBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64B981 second address: 64B9CC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1EE4CA6396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 js 00007F1EE4CA6399h 0x0000001a mov di, cx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov edi, edx 0x00000026 mov eax, dword ptr [ebp+122D0F79h] 0x0000002c mov edi, ecx 0x0000002e push FFFFFFFFh 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 jmp 00007F1EE4CA63A6h 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64ABBD second address: 64AC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, dword ptr [ebp+122D272Ah] 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov edi, dword ptr [ebp+122D2C93h] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F1EE4878188h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov eax, dword ptr [ebp+122D08E9h] 0x00000046 mov dword ptr [ebp+124762A8h], edx 0x0000004c push FFFFFFFFh 0x0000004e or dword ptr [ebp+1246963Fh], edi 0x00000054 sub dword ptr [ebp+122D31B2h], ecx 0x0000005a nop 0x0000005b push ecx 0x0000005c jmp 00007F1EE4878194h 0x00000061 pop ecx 0x00000062 push eax 0x00000063 pushad 0x00000064 push ecx 0x00000065 js 00007F1EE4878186h 0x0000006b pop ecx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F1EE4878195h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64B9CC second address: 64B9DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64B9DB second address: 64B9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64B9DF second address: 64B9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 650A23 second address: 650A2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 650A2D second address: 650A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE4CA63A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64DB14 second address: 64DB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 652149 second address: 652176 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1EE4CA6398h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F1EE4CA63A7h 0x00000011 jnc 00007F1EE4CA639Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6530C2 second address: 653162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F1EE4878188h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov ebx, 2E05278Bh 0x00000028 sub edi, dword ptr [ebp+122D3406h] 0x0000002e push dword ptr fs:[00000000h] 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F1EE4878188h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f push edi 0x00000050 xor bx, 6B9Dh 0x00000055 pop edi 0x00000056 mov ebx, dword ptr [ebp+122D38C7h] 0x0000005c mov dword ptr fs:[00000000h], esp 0x00000063 mov bh, F8h 0x00000065 mov eax, dword ptr [ebp+122D0891h] 0x0000006b and bh, FFFFFFD8h 0x0000006e push FFFFFFFFh 0x00000070 mov dword ptr [ebp+1246278Eh], esi 0x00000076 jmp 00007F1EE487818Dh 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e push ebx 0x0000007f jne 00007F1EE4878186h 0x00000085 pop ebx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 665040 second address: 665044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 665044 second address: 66504A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66504A second address: 66505C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1EE4CA639Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66505C second address: 665060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AC9F second address: 66ACA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66ACA3 second address: 66ACA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66ACA9 second address: 66ACAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66ACAF second address: 66ACF1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F1EE4878196h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F1EE4878198h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66ACF1 second address: 66AD19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4CA63A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F1EE4CA6398h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AE3E second address: 48DF12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F1EE4878186h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 638BC273h 0x00000015 pushad 0x00000016 mov bx, 8800h 0x0000001a and di, F4DEh 0x0000001f popad 0x00000020 push dword ptr [ebp+122D0AEDh] 0x00000026 cld 0x00000027 call dword ptr [ebp+122D28E7h] 0x0000002d pushad 0x0000002e jbe 00007F1EE487818Ch 0x00000034 add dword ptr [ebp+122D1CD2h], ecx 0x0000003a xor eax, eax 0x0000003c jmp 00007F1EE4878191h 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 jg 00007F1EE487818Dh 0x0000004b jne 00007F1EE4878187h 0x00000051 cld 0x00000052 mov dword ptr [ebp+122D2B32h], edx 0x00000058 mov dword ptr [ebp+122D2C7Bh], eax 0x0000005e clc 0x0000005f mov esi, 0000003Ch 0x00000064 mov dword ptr [ebp+122D1CF6h], edi 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e jmp 00007F1EE487818Bh 0x00000073 lodsw 0x00000075 cmc 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a pushad 0x0000007b mov al, cl 0x0000007d mov di, ax 0x00000080 popad 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 mov dword ptr [ebp+122D1C89h], ebx 0x0000008b push eax 0x0000008c push ebx 0x0000008d push eax 0x0000008e push eax 0x0000008f push edx 0x00000090 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 670B3C second address: 670B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6710CE second address: 6710F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F1EE4878186h 0x00000009 jno 00007F1EE4878186h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jmp 00007F1EE4878191h 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6710F9 second address: 671127 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4CA63A1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F1EE4CA639Fh 0x00000011 js 00007F1EE4CA6396h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 671127 second address: 671131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F1EE4878186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 671131 second address: 671135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 671992 second address: 6719A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F1EE4878188h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6719A0 second address: 6719BE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F1EE4CA63A2h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6773C1 second address: 6773CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6773CB second address: 6773D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6773D1 second address: 6773E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1EE487818Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6773E8 second address: 6773F8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6773F8 second address: 677408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE487818Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 677408 second address: 67740D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6006FC second address: 600719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1EE4878197h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600719 second address: 600723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F1EE4CA6396h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600723 second address: 600727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67630A second address: 67631B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1EE4CA639Ch 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67FB47 second address: 67FB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67E946 second address: 67E94B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67E94B second address: 67E951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67E951 second address: 67E981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE4CA639Bh 0x00000009 popad 0x0000000a pushad 0x0000000b jc 00007F1EE4CA6396h 0x00000011 js 00007F1EE4CA6396h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a ja 00007F1EE4CA63CAh 0x00000020 push eax 0x00000021 push edx 0x00000022 jnp 00007F1EE4CA6396h 0x00000028 push esi 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67EAB3 second address: 67EACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F1EE487818Ch 0x0000000e je 00007F1EE4878186h 0x00000014 push eax 0x00000015 jbe 00007F1EE4878186h 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67EACF second address: 67EAEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1EE4CA63A7h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67EAEE second address: 67EAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67ED9B second address: 67EDAE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1EE4CA6396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007F1EE4CA6396h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67EDAE second address: 67EDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67EF13 second address: 67EF25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c je 00007F1EE4CA6396h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67EF25 second address: 67EF29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67EF29 second address: 67EF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F089 second address: 67F09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE487818Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F09D second address: 67F0A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F0A3 second address: 67F0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F0A7 second address: 67F0D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4CA639Ch 0x00000007 jmp 00007F1EE4CA63A4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F1EE4CA639Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F219 second address: 67F21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F51A second address: 67F527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F527 second address: 67F52D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F52D second address: 67F536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67E2FD second address: 67E322 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1EE4878188h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1EE4878193h 0x0000000f jo 00007F1EE4878186h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67E322 second address: 67E32C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1EE4CA6396h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 640D8D second address: 61DDFE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1EE487818Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, dword ptr [ebp+122D5C90h] 0x00000013 lea eax, dword ptr [ebp+12486AEDh] 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F1EE4878188h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 nop 0x00000034 jnl 00007F1EE4878190h 0x0000003a push eax 0x0000003b jmp 00007F1EE487818Fh 0x00000040 nop 0x00000041 xor ecx, 7BFCC3CAh 0x00000047 call dword ptr [ebp+122D2971h] 0x0000004d pushad 0x0000004e push esi 0x0000004f push edi 0x00000050 pop edi 0x00000051 jnl 00007F1EE4878186h 0x00000057 pop esi 0x00000058 pushad 0x00000059 push esi 0x0000005a pop esi 0x0000005b jno 00007F1EE4878186h 0x00000061 popad 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6412ED second address: 6412F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6412F1 second address: 6412F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 641513 second address: 64151D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1EE4CA6396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 641991 second address: 641A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F1EE4878188h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 push 00000004h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007F1EE4878188h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 0000001Dh 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f call 00007F1EE4878198h 0x00000044 pushad 0x00000045 jmp 00007F1EE487818Bh 0x0000004a je 00007F1EE4878186h 0x00000050 popad 0x00000051 pop edi 0x00000052 adc ch, FFFFFFFBh 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jo 00007F1EE487819Fh 0x0000005e jmp 00007F1EE4878199h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 641D7A second address: 641D80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 641D80 second address: 641D85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64219D second address: 6421A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 687994 second address: 68799D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 687F42 second address: 687F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 687F47 second address: 687F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 687F4F second address: 687F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 687F53 second address: 687F83 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1EE4878186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jg 00007F1EE4878186h 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007F1EE4878192h 0x0000001a push ebx 0x0000001b jng 00007F1EE4878186h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68B68E second address: 68B6C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F1EE4CA63A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007F1EE4CA63A9h 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68D731 second address: 68D73F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F1EE487818Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68D73F second address: 68D751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a jng 00007F1EE4CA63A2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693A23 second address: 693A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693A27 second address: 693A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1EE4CA639Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693A3B second address: 693A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1EE4878192h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F1EE487819Ch 0x00000014 jg 00007F1EE4878186h 0x0000001a jmp 00007F1EE4878190h 0x0000001f pushad 0x00000020 jnl 00007F1EE4878186h 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 push esi 0x00000029 pop esi 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693C02 second address: 693C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F1EE4CA63A7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693C2D second address: 693C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4878196h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693C47 second address: 693C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693C4D second address: 693C53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 693C53 second address: 693C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 694020 second address: 694035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1EE4878190h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697DEB second address: 697E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1EE4CA6396h 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697E01 second address: 697E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6986D8 second address: 6986F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE4CA63A3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69B997 second address: 69B9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F1EE4878190h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69B122 second address: 69B12A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69B6B2 second address: 69B6BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1EE4878186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69B6BC second address: 69B6C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1935 second address: 6A1945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F1EE4878186h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1FF4 second address: 6A1FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1FF8 second address: 6A2007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1EE4878186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A2603 second address: 6A2607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A2607 second address: 6A260D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A260D second address: 6A2617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1EE4CA6396h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A71FF second address: 6A7205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A7205 second address: 6A720A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A720A second address: 6A720F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A64DF second address: 6A64E9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1EE4CA6396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A6637 second address: 6A663B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A663B second address: 6A6654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F1EE4CA63A3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A6654 second address: 6A667C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE487818Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1EE4878195h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A667C second address: 6A6680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A6680 second address: 6A6686 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A67F7 second address: 6A6800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A6D52 second address: 6A6D60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnl 00007F1EE4878186h 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B3E7C second address: 6B3E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE4CA63A5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B2059 second address: 6B2072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F1EE487818Ah 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B2D67 second address: 6B2D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F1EE4CA6396h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B33EB second address: 6B33EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B33EF second address: 6B33F9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1EE4CA6396h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BBCE2 second address: 6BBCE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BBCE8 second address: 6BBCF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F1EE4CA639Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BBCF9 second address: 6BBD09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1EE487818Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BBD09 second address: 6BBD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BBD0F second address: 6BBD17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BBD17 second address: 6BBD1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BB6C8 second address: 6BB6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BB6D0 second address: 6BB6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F1EE4CA639Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1EE4CA639Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BB854 second address: 6BB8A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4878197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1EE4878190h 0x0000000e jmp 00007F1EE487818Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007F1EE4878186h 0x0000001b jmp 00007F1EE487818Bh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CB74C second address: 6CB758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CB3A8 second address: 6CB3AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D32C2 second address: 6D32CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DA2B0 second address: 6DA2BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F1EE4878186h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E2C19 second address: 6E2C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 jnl 00007F1EE4CA6398h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E2DAE second address: 6E2DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F1EE487818Bh 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E308F second address: 6E30A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1EE4CA639Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E30A9 second address: 6E30AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E30AD second address: 6E30B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E30B1 second address: 6E30B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E91A9 second address: 6E91AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E91AD second address: 6E91B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E91B8 second address: 6E9202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 jnl 00007F1EE4CA6396h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007F1EE4CA63ACh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F1EE4CA63A8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E9202 second address: 6E920A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E8C77 second address: 6E8C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE4CA639Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E8C86 second address: 6E8CBE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1EE4878186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F1EE487818Fh 0x0000000f jmp 00007F1EE4878196h 0x00000014 pushad 0x00000015 jo 00007F1EE4878186h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E8E4D second address: 6E8E53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E8E53 second address: 6E8E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F1EE487818Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EEB8F second address: 6EEBA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE4CA63A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EEBA3 second address: 6EEBA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702F8D second address: 702FAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F1EE4CA6396h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F1EE4CA6398h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jng 00007F1EE4CA639Eh 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702B00 second address: 702B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702B04 second address: 702B0D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702B0D second address: 702B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1EE487818Ch 0x00000009 jbe 00007F1EE4878186h 0x0000000f popad 0x00000010 jns 00007F1EE4878188h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 jc 00007F1EE487818Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702B3E second address: 702B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702B47 second address: 702B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702CA7 second address: 702CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F1EE4CA6396h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 702CBF second address: 702CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE487818Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1EE4878199h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70527D second address: 705299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F1EE4CA63ABh 0x0000000b jmp 00007F1EE4CA639Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705299 second address: 7052A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F1EE4878186h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7052A7 second address: 7052B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1EE4CA639Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70A7A0 second address: 70A7BA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1EE487818Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F1EE4878186h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715A7A second address: 715A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715A7E second address: 715A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 715B38 second address: 715B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1EE4CA63A8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 717848 second address: 71787C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F1EE4878199h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1EE4878190h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71787C second address: 717880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 719422 second address: 71943C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1EE4878192h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71943C second address: 719449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F1EE4CA6396h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 710717 second address: 71071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70F5A5 second address: 70F5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jnp 00007F1EE4CA6396h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70F5B3 second address: 70F5BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70F5BB second address: 70F5CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop esi 0x00000008 push ebx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70F5CE second address: 70F5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F1EE4878199h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7105AD second address: 7105B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7105B3 second address: 7105DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jl 00007F1EE48781AEh 0x0000000d ja 00007F1EE487818Eh 0x00000013 je 00007F1EE4878186h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f jmp 00007F1EE487818Ch 0x00000024 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 48DF4A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 62CAF4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 62C7F4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 48B0C2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 65898E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6BD538 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7130000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006095B5 rdtsc

0_2_006095B5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0061BAAA sidt fword ptr [esp-02h]

0_2_0061BAAA

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7376

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006095B5 rdtsc

0_2_006095B5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048B980 LdrInitializeThunk,

0_2_0048B980

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: ZProgram Manager

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	1 Process Injection	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	271 Virtualization/Sandbox Evasion	Security Account Manager	271 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Bypass User Account Control	1 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.c	file.exe, 00000000.00000002.1843308100.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542945
Start date and time:	2024-10-26 23:02:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.448423219100011
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'745'344 bytes
MD5:	2d0218072ae23eb7b7ec78dfdec917ca
SHA1:	cff62e0bc78dd1a196ac01137dc87117c93c5804
SHA256:	3110a198fe21039ba773c8228b43ec38dfd3927a52012fddad5131c833bcd62a
SHA512:	3e66a09f338710f258f07f92d9745623aab17d32153960e2c77840d317d592b39755b0f3a8709583b0c4136ae1d8bda6a250b0abba666a0829d46966a1b79dd3
SSDEEP:	49152:P/gRE3zze0U8CevjcgrFtan/atNR+CPAb8JN4y7mCb:gRE37U8/vogrFtahC2+iy7mY
TLSH:	ADD53DD2B90973CFD46E2F749917CE82695D46FD072108DBD86C64BA7E63CC122B9C28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`.. ...`....@.. ..............................?*...`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6a6000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F1EE5153CCAh
cmpps xmm5, dqword ptr [ecx], 00h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F1EE5155CC5h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	ab19315e91080992d293b3c789147c41	False	0.9344618055555556	data	7.800225518351562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kfuwxpfu	0xa000	0x29a000	0x298400	92bcdc0321a9025444db2a8c91e2bfd8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hpvretvg	0x2a4000	0x2000	0x400	733213306a7beeed4f740a94e4a20f4c	False	0.7900390625	data	6.1996541612348075	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2a6000	0x4000	0x2200	0386b5ff727c82e466253725e6075a88	False	0.059857536764705885	DOS executable (COM)	0.6725231098124566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	17:02:59
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x480000
File size:	2'745'344 bytes
MD5 hash:	2D0218072AE23EB7B7EC78DFDEC917CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	16%
Signature Coverage:	4%
Total number of Nodes:	75
Total number of Limit Nodes:	5

Executed Functions

Function 04E815D0 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04E818C8

Memory Dump Source

Source File: 00000000.00000002.1845394333.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_file.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: e5162a23783fe4c1f5eaa725abe16d6fa45a965f76503ac7b2faa1d7d58111f6
Instruction ID: f5bbe3d96bceb97557b86f9755a2623c4a9c273f4e9ba56f5678c7f90a5d3a9e
Opcode Fuzzy Hash: e5162a23783fe4c1f5eaa725abe16d6fa45a965f76503ac7b2faa1d7d58111f6
Instruction Fuzzy Hash: 22C16971D002599FDF10EFA8C8457AEFBB1FF45318F048629E85DA7294D774A882CB82

Function 006095B5 Relevance: 1.5, APIs: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0060964E

Memory Dump Source

Source File: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3121a9d6123122e966799df06d54ed78212079b8120ae3c1f17270abe483ddaa
Instruction ID: 5ab7aef5de4980952301adf98fe1468179a05616776903726c1823dc0981a5b1
Opcode Fuzzy Hash: 3121a9d6123122e966799df06d54ed78212079b8120ae3c1f17270abe483ddaa
Instruction Fuzzy Hash: 8EF0E2AA1E91177DF2079B601E64AFF622FE7D2774F304028F902BA0C3D6D48E0A2135

Function 0048B980 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f45ab778b18575e9ea31079b02ce65b8753812c85945d63e8adab1a6a60b0f
Instruction ID: 4324684b1ee4486c1808cec6777d452c0e8bb6f0742a903e352c6302d7ec2b3a
Opcode Fuzzy Hash: b0f45ab778b18575e9ea31079b02ce65b8753812c85945d63e8adab1a6a60b0f
Instruction Fuzzy Hash: 94C0C023208D47CF828006380E193447D40EF09604374070AD375C2ED6C336C1405705

Function 00613525 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0061385D
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00613884
GetNativeSystemInfo.KERNELBASE(?), ref: 006138DB

Strings

1*^k, xrefs: 00616135

Memory Dump Source

Source File: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID: 1*^k
API String ID: 1247124224-2723236836
Opcode ID: f39392f420a3d9fc0b41cc9228f9677be0b7833bb70286755a3f9d121dc404b6
Instruction ID: 6f4d3a9022c70f064ab072d059d1297f15d4746a9e8868627d155286cc84e1e0
Opcode Fuzzy Hash: f39392f420a3d9fc0b41cc9228f9677be0b7833bb70286755a3f9d121dc404b6
Instruction Fuzzy Hash: 6A416E7150411E9FEF21CF60C849AEF37AAFF01350F140526ED4282A51DBB65EE5DB58

Function 0048F0E2 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0048F9D6

Strings

W"TM, xrefs: 0048F87D

Memory Dump Source

Source File: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: W"TM
API String ID: 4275171209-2599280628
Opcode ID: 7493fce0aeafee4dca2e9b06d39fff16423be89bd2b9d611ec12c69e1195ec7f
Instruction ID: 169e2b18e9428333d51c499468fd6a5037d38b6a06abd7ea1b634471de93d5a7
Opcode Fuzzy Hash: 7493fce0aeafee4dca2e9b06d39fff16423be89bd2b9d611ec12c69e1195ec7f
Instruction Fuzzy Hash: 3601C0B611C781DFE348BF26954223EFAE5EF88310F229C2ED8C6C6150D73408869B0B

Function 04E815C4 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04E818C8

Memory Dump Source

Source File: 00000000.00000002.1845394333.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_file.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: edb41fe216de6684b3d9fe86d97bc01cc02ea1340bfbd0ece9aaa523fd337660
Instruction ID: 7ddf72fd482d5b9f130ed51473a86890cb29ede07ac2f533330688b4e6c96dfd
Opcode Fuzzy Hash: edb41fe216de6684b3d9fe86d97bc01cc02ea1340bfbd0ece9aaa523fd337660
Instruction Fuzzy Hash: CAC16971D002598FDF10EFA8C9457AEFBB1BF45318F048629E85DA7294D774A882CB82

Function 00606861 Relevance: 1.6, APIs: 1, Instructions: 133
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00606861

Memory Dump Source

Source File: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9882da146519693e514b5a4668a27b8b2e934478b1d45e701187498ffffcbe5e
Instruction ID: bf64fe78cecdb41392b635e0ade071f58cf6a425a6db615e4daf318a0d3fcc1b
Opcode Fuzzy Hash: 9882da146519693e514b5a4668a27b8b2e934478b1d45e701187498ffffcbe5e
Instruction Fuzzy Hash: C5416BB250C610AFE306AF59D8856BAFBE9FF59320F12482DF6C9C3200D77555508BA7

Function 006066DE Relevance: 1.6, APIs: 1, Instructions: 115
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 006066DE

Memory Dump Source

Source File: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: de1c938b453c5d0b5d161883f3cf5130c160226f37cee90e36cbe93b8839dbba
Instruction ID: 2589119decd7869620c8324a89eaf6cdd73712aaa2778d94d4cdce2aa9f39bd3
Opcode Fuzzy Hash: de1c938b453c5d0b5d161883f3cf5130c160226f37cee90e36cbe93b8839dbba
Instruction Fuzzy Hash: B8316DF281C710AFD705BF28D98526ABBE4FF18760F16092DEAC593240E63598508B87

Function 00668855 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2a7a638a7fc65d3adeafce646ce6c048a1e7ca7c727eefd01f23935e2fc00f
Instruction ID: dd8c220da4263eb02c8236c867fd6079f2b4b1523c3629d58b1afe0b32e0d7c4
Opcode Fuzzy Hash: fe2a7a638a7fc65d3adeafce646ce6c048a1e7ca7c727eefd01f23935e2fc00f
Instruction Fuzzy Hash: 61415C71900205EFDB25CF78C949BBE7BB2FF05310F244259E952AB282CB75AC90DB56

Function 006685A2 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 0066864F

Memory Dump Source

Source File: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 31c6aa948ed768af54cf6f3ad11088ce1a152965221278b5a42438a7a788c859
Instruction ID: d8a3b912c6d14ba6c265b2bd2d6accf2a65a0d605387eaf540e5f2f0b2a67ec5
Opcode Fuzzy Hash: 31c6aa948ed768af54cf6f3ad11088ce1a152965221278b5a42438a7a788c859
Instruction Fuzzy Hash: A011E271A01228AFEB304A64CC48BEAB77DFF15B50F104295E805E7241DF74AD858AE1

Function 04E80D48 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E80DCD

Memory Dump Source

Source File: 00000000.00000002.1845394333.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: e71087a0f11cbe2124795fd838e4704daeab76693fd967c79000796963202514
Instruction ID: 9a99c1fa010a92575cca3a628f9d0d97ebac96f586ac62f13e887b36ca1390c0
Opcode Fuzzy Hash: e71087a0f11cbe2124795fd838e4704daeab76693fd967c79000796963202514
Instruction Fuzzy Hash: 6A2113B6C012189FCB50DF99D884ADEFBF4EB88324F15816AD808AB244D774A944CBA4

Function 04E80D41 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E80DCD

Memory Dump Source

Source File: 00000000.00000002.1845394333.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 2f5eb1efc4c5fda411b7891703066f25eed8a5022878b0f4571d5101619fa5f9
Instruction ID: 8a20c4e2ca025fd7657b685a3cce31fe9ffbf756ff3234ffbd7a0a3b05e932c2
Opcode Fuzzy Hash: 2f5eb1efc4c5fda411b7891703066f25eed8a5022878b0f4571d5101619fa5f9
Instruction Fuzzy Hash: 752133B6C00218CFCB50DF99D485BDEFBF1FB88324F15822AD808AB244D734A945CBA4

Function 04E81510 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 04E81580

Memory Dump Source

Source File: 00000000.00000002.1845394333.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 65265a51c9519273eb3986a181ca8e62f258217d80b7642be6335f57c14553d2
Instruction ID: 6b2d9e1bb570ca35bc9df46d5208adcd0b10d594dd23e1cf3599d21580eeba85
Opcode Fuzzy Hash: 65265a51c9519273eb3986a181ca8e62f258217d80b7642be6335f57c14553d2
Instruction Fuzzy Hash: DB1114B1D00249CFDB10CF9AD584BDEFBF4EB48324F108029E559A3250D378AA44CFA5

Function 04E81509 Relevance: 1.6, APIs: 1, Instructions: 52
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 04E81580

Memory Dump Source

Source File: 00000000.00000002.1845394333.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: e30dbc996a1ec6d85b346f0b70003f5ce6a01de9f5d04ee5f16e52a0aa2958b0
Instruction ID: d22cab3b7f7ee01bcf00c713332398c795e72d65d69c1d03a6e861ab47f3793c
Opcode Fuzzy Hash: e30dbc996a1ec6d85b346f0b70003f5ce6a01de9f5d04ee5f16e52a0aa2958b0
Instruction Fuzzy Hash: F11114B5D00249CFDB10DF9AD584BDEFBF4BB48324F10802AE959A7250D778A644CFA5

Function 04E81301 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04E81367

Memory Dump Source

Source File: 00000000.00000002.1845394333.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 08467d8f406d2844d371936f2047dbd092da73b3548e873ddd100fe6c02cc0bf
Instruction ID: 1b72f0981dca64e29d20dc5ecebcd659ff097dfee0b79933012c501d27fb469d
Opcode Fuzzy Hash: 08467d8f406d2844d371936f2047dbd092da73b3548e873ddd100fe6c02cc0bf
Instruction Fuzzy Hash: DB1143B1800249CFDB10DF9AD584BEEFBF4EF48324F20842AD498A3240D778A945CFA5

Function 04E81308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04E81367

Memory Dump Source

Source File: 00000000.00000002.1845394333.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: fe5f8eb6ecd61f6097a6e810f0f6ea76ae88f5e1d256f13aea55fbcbcbb94c28
Instruction ID: d3b581d5931849e07f8e0eddaba4d68504a146e6bec9a3669eeb53a510fe5ebb
Opcode Fuzzy Hash: fe5f8eb6ecd61f6097a6e810f0f6ea76ae88f5e1d256f13aea55fbcbcbb94c28
Instruction Fuzzy Hash: 791133B1800249CFDB10DF9AC545BEEFBF8EB48324F20846AD558A3650D778A984CFA5

Function 006095BD Relevance: 1.5, APIs: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0060964E

Memory Dump Source

Source File: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6c51c22c58940d0e4d20f312f31b4a6e50f95962fb92d63079a048b339524c06
Instruction ID: d63b831f2ebf69e4ca9943727c2b80970acff13d4a02cffc01265a954bbdc691
Opcode Fuzzy Hash: 6c51c22c58940d0e4d20f312f31b4a6e50f95962fb92d63079a048b339524c06
Instruction Fuzzy Hash: E0F024EA0E92177DF3069B605E656FB762EE792774F300028F802AB0C3C2D44A8A5235

Function 006095E8 Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0060964E

Memory Dump Source

Source File: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c27e2e7521d37552bf2b88204c352f857f47494f2f71f3434c339e3a14cd88a9
Instruction ID: 7c641691d99af9f638f92bee5bb7b8977822ea0f739f89efa193cb0b9a113090
Opcode Fuzzy Hash: c27e2e7521d37552bf2b88204c352f857f47494f2f71f3434c339e3a14cd88a9
Instruction Fuzzy Hash: 69F024EB0E93426EF705CB709E645FB7B6FD652730F204029F401A60C3C2D59D0A2238

Function 00609618 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 0060964E

Memory Dump Source

Source File: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a8ba7b1710ec162222f528960783f0436f5a28863b7f9fa3b2d15642c795edb9
Instruction ID: 56ff142661826fe8de8b27ee5bb0cf7853fee16471217c18f3e6bdaffa72e752
Opcode Fuzzy Hash: a8ba7b1710ec162222f528960783f0436f5a28863b7f9fa3b2d15642c795edb9
Instruction Fuzzy Hash: C2E0D8972D92826DD10253B45D797E5BF69DB43374B2840A6F041991C3C585550D1235

Function 00613CD0 Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0061798A

Memory Dump Source

Source File: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 38f4c598008729285ea9334acf4bea119b42bd1c689348dfa8f4c4dd388aefb3
Instruction ID: a9ebbd73c4cbc89d9dac17ef1f799a2177dbd3fec02ea0f1f3285a84feeab071
Opcode Fuzzy Hash: 38f4c598008729285ea9334acf4bea119b42bd1c689348dfa8f4c4dd388aefb3
Instruction Fuzzy Hash: 58E06DB080D304EFC3046F14A58146EB6F6EF08710F648C2DF1C782300D6329C51AA62

Function 00609791 Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 006097B1

Memory Dump Source

Source File: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1212594f0fcd3362de323f0c4af0fdae46f07f516f6a8c837fea74c914abcd43
Instruction ID: 7a692c9f8302918dce0e5fa8374aad923a8dd8881b5618c378332aaae3002f8a
Opcode Fuzzy Hash: 1212594f0fcd3362de323f0c4af0fdae46f07f516f6a8c837fea74c914abcd43
Instruction Fuzzy Hash: 5AD0A7211AD79219C30B2F384CD127DBFB25F83700F0100AFE5C8CB1D3C2655105A366

Function 006681CC Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,006681C8,?,?,?,?,?,?,?), ref: 006681EC

Memory Dump Source

Source File: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5eca3b35ac187eec7334ad282cc4b96396e752cd5544e637c1ed17baef8855dd
Instruction ID: 97508ea2be55adf3899fe62d98fbdb7fe85f8562425cb8dc92eb0f22f2ebebb5
Opcode Fuzzy Hash: 5eca3b35ac187eec7334ad282cc4b96396e752cd5544e637c1ed17baef8855dd
Instruction Fuzzy Hash: D6F0FFB1900B05EFD724CF24CC04B98BBA8FF44B61F208028F58A9B291E7B198C0CB90

Function 0048EA35 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0048F48E

Memory Dump Source

Source File: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9fd7869b6ebc7306d087a1cf928c025f2dd73c6c8f669d79da6ddb235257433d
Instruction ID: f897db47433cf8b0354a9d5ccfc32db33b0a6d1285383cac3656ffc633d338d6
Opcode Fuzzy Hash: 9fd7869b6ebc7306d087a1cf928c025f2dd73c6c8f669d79da6ddb235257433d
Instruction Fuzzy Hash: B2F0A476608608CFDB003F79D8492ADBBA1EF51224F160B2ED9C287A90D6714855CB47

Non-executed Functions

Function 0048DE62 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

NTDL, xrefs: 0048E1F3

Memory Dump Source

Source File: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID:
String ID: NTDL
API String ID: 0-3662016964
Opcode ID: 4c54e6690ee5d294cb81c5d6a710cea69332e3defb1ee6bdc06379c533fcd3c6
Instruction ID: 251fc1f7bcabba4c3582c471456168778430f6c38381958a88258ebb77cdaca4
Opcode Fuzzy Hash: 4c54e6690ee5d294cb81c5d6a710cea69332e3defb1ee6bdc06379c533fcd3c6
Instruction Fuzzy Hash: 0EA102B290421E8FDB11EF26C5405EF3BA5EF96320F244D6BD84183B42C7B64D12AB5E

Function 0060FEFF Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

}z}], xrefs: 006101ED

Memory Dump Source

Source File: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID:
String ID: }z}]
API String ID: 0-1849450537
Opcode ID: fbdf378aaca52d2c84ff7f6542d7f76e1e9f7c6d7e0329d0141c1642a78e3f0b
Instruction ID: 75a154f350eb3069607c2fc6d695a70fa818dcabc9c0e7b187329f72ec7c84ff
Opcode Fuzzy Hash: fbdf378aaca52d2c84ff7f6542d7f76e1e9f7c6d7e0329d0141c1642a78e3f0b
Instruction Fuzzy Hash: 6F417CB390C100DBE304AE39DC456BB77E79BA9300F39892EA5C6C3744E97159829683

Function 0060687E Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bf7a4cf748a2e21e41c14f4c1683f5d5482ecfc72cec94585cf5c45fafaab1
Instruction ID: 5e038d33095c76da090bbdfb24d47adeff11c42e51ba568c576b36920b3aa011
Opcode Fuzzy Hash: 45bf7a4cf748a2e21e41c14f4c1683f5d5482ecfc72cec94585cf5c45fafaab1
Instruction Fuzzy Hash: 903137B251C610AFE306AF59D8856BAFBE9FF59320F12482DE6C9C3200D7355990CB97

Function 0061BAAA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1842238539.000000000061B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00480000, based on PE: true

Associated: 00000000.00000002.1841915681.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841933967.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841951139.0000000000486000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841969549.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1841989096.0000000000496000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842099598.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842118944.00000000005F4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842138871.0000000000603000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842161794.0000000000607000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842179425.000000000060E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842221054.000000000061A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842270638.0000000000641000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842288313.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842306051.0000000000643000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842327873.000000000064F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842344656.0000000000650000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842364950.0000000000656000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842420778.0000000000661000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842442494.0000000000662000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842504949.0000000000663000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842547832.0000000000667000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842594448.0000000000668000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842612226.000000000066A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842631398.0000000000674000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842649644.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842666081.000000000067C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842684231.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842702582.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842719844.000000000068F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842737456.0000000000696000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842754086.0000000000699000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842770620.000000000069A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842787570.000000000069C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842806011.00000000006A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842823593.00000000006AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842856912.00000000006B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842875192.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842895721.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842914087.00000000006C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842934582.00000000006D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842950876.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1842984069.000000000070B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843031820.000000000070C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.000000000070D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843056520.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843102602.0000000000724000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1843153982.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_480000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9027aab62178678c96cd1d328a71a247f27bfbce7d0f285f6bebc4af872900d2
Instruction ID: f69458523828f373cf6be8c9004de20af0536ad7e0762d58e4b23af35bbfda56
Opcode Fuzzy Hash: 9027aab62178678c96cd1d328a71a247f27bfbce7d0f285f6bebc4af872900d2
Instruction Fuzzy Hash: 25E04636108101AED700AF54D845ADFFBF8FF19321F259849E888CB722C3358D41CB2A

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7256, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7256, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 04E815D0 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Function 00613525 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
registryCOMMON

Function 0048F0E2 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38
memoryCOMMON

Function 04E815C4 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Function 00606861 Relevance: 1.6, APIs: 1, Instructions: 133
libraryCOMMON

Function 006066DE Relevance: 1.6, APIs: 1, Instructions: 115
libraryCOMMON

Function 00668855 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Function 006685A2 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 04E80D48 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 04E80D41 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 04E81510 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Function 04E81509 Relevance: 1.6, APIs: 1, Instructions: 52
serviceCOMMON

Function 04E81301 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON