Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544237
MD5:	473c91c8363cf492cf6192686e4aeae8
SHA1:	4f56b6e25bbf8bb424a3fbb398040d980850a046
SHA256:	265c128a8a9421847dea2121ae5ce79efb601616c4fd060ff9863f4c2c498c2f
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SIDT)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 473C91C8363CF492CF6192686E4AEAE8)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 50%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F4FDD9 CryptVerifySignatureA,

0_2_00F4FDD9

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1689782205.0000000004700000.00000004.00001000.00020000.00000000.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F67319	0_2_00F67319
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF64D8	0_2_00EF64D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF6490	0_2_00EF6490
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFBA62	0_2_00FFBA62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F2CC5F	0_2_00F2CC5F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F92F81	0_2_00F92F81

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00F4ADCE appears 35 times

Source: file.exe, 00000000.00000000.1673279356.0000000000D66000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2838528 > 1048576

Source: file.exe

Static PE information: Raw size of bbzqfojp is bigger than: 0x100000 < 0x2af000

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W;bbzqfojp:EW;ynvwdqnr:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2b68af should be: 0x2c0341

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: bbzqfojp
Source: file.exe	Static PE information: section name: ynvwdqnr
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF5321 push esi; mov dword ptr [esp], 255745B4h	0_2_00EF534B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF5321 push 20F1AF57h; mov dword ptr [esp], ecx	0_2_00EF536F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF5321 push eax; mov dword ptr [esp], ebx	0_2_00EF53CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6E7DD push esi; mov dword ptr [esp], ebp	0_2_00D6F6D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6ED83 push eax; mov dword ptr [esp], edi	0_2_00D6EF67
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6ED83 push 41730DD3h; mov dword ptr [esp], ebx	0_2_00D6EF6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F01D2D push eax; mov dword ptr [esp], ebp	0_2_00F03854
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F02E8C push 68006DD1h; mov dword ptr [esp], eax	0_2_00F02B0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F020F8 push 3F1D00BFh; mov dword ptr [esp], ebx	0_2_00F0355F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F020F8 push 470F90ADh; mov dword ptr [esp], ebx	0_2_00F03C1B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF50E3 push 7A928A01h; mov dword ptr [esp], edi	0_2_00EF5271
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF50E3 push 40118F1Ah; mov dword ptr [esp], edx	0_2_00EF527B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F020D2 push esi; mov dword ptr [esp], ebx	0_2_00F020F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC90DB push 5845E4E2h; mov dword ptr [esp], eax	0_2_00FC913E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC90DB push 78C96993h; mov dword ptr [esp], eax	0_2_00FC9174
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC90DB push 39699A32h; mov dword ptr [esp], edi	0_2_00FC91B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF30D9 push ebp; mov dword ptr [esp], edi	0_2_00EF30EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F120CB push 307FA957h; mov dword ptr [esp], edi	0_2_00F120E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F030CE push 3C93D3E1h; mov dword ptr [esp], ebx	0_2_00F046F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F910BB push 16DFFF79h; mov dword ptr [esp], edx	0_2_00F910F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F020AC push edi; mov dword ptr [esp], 1A767739h	0_2_00F02999
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F670A8 push edx; mov dword ptr [esp], 1D6969CBh	0_2_00F670EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F670A8 push esi; mov dword ptr [esp], ecx	0_2_00F6710C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF8085 push eax; mov dword ptr [esp], 5C8FD256h	0_2_00EF857C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF8085 push ebx; mov dword ptr [esp], ecx	0_2_00EF865A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EF8085 push edi; mov dword ptr [esp], 02DCD9F9h	0_2_00EF87FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0209D push edi; mov dword ptr [esp], edx	0_2_00F04848
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F0209D push eax; mov dword ptr [esp], esi	0_2_00F06F4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDE073 push edx; mov dword ptr [esp], ecx	0_2_00FDE0BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6F041 push 29B4EBF8h; mov dword ptr [esp], edi	0_2_00D6F046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F04069 push ebp; mov dword ptr [esp], esp	0_2_00F04086

Source: file.exe

Static PE information: section name: entropy: 7.808125394250483

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6DD86 second address: D6DD99 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD4D8D9C078h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6DD99 second address: D6DD9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6151 second address: EF6159 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE1CFF second address: EE1D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE1D03 second address: EE1D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE1D09 second address: EE1D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE1D0F second address: EE1D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD4D8D9C076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF58F3 second address: EF5901 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD4D8DCC438h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8D1E second address: EF8D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007FD4D8D9C07Ch 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D30C0h], esi 0x00000015 call 00007FD4D8D9C079h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FD4D8D9C07Fh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8D54 second address: EF8D6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC42Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8D6A second address: EF8D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8D6F second address: EF8D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8D75 second address: EF8E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C07Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f ja 00007FD4D8D9C092h 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e jmp 00007FD4D8D9C088h 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 jmp 00007FD4D8D9C07Dh 0x0000002d pop eax 0x0000002e mov ecx, edx 0x00000030 push 00000003h 0x00000032 mov dword ptr [ebp+122D2BD4h], eax 0x00000038 add ch, FFFFFF87h 0x0000003b push 00000000h 0x0000003d movzx edx, si 0x00000040 push 00000003h 0x00000042 mov dword ptr [ebp+122D30F8h], eax 0x00000048 push A6BAEAFFh 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FD4D8D9C084h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8E16 second address: EF8E5A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD4D8DCC439h 0x00000008 jmp 00007FD4D8DCC433h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f add dword ptr [esp], 19451501h 0x00000016 mov dword ptr [ebp+122D2BB0h], ebx 0x0000001c push ebx 0x0000001d mov edx, dword ptr [ebp+122D399Fh] 0x00000023 pop edi 0x00000024 lea ebx, dword ptr [ebp+1245EC28h] 0x0000002a push edx 0x0000002b mov edx, ecx 0x0000002d pop edx 0x0000002e mov esi, ebx 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8E5A second address: EF8E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C084h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8E73 second address: EF8E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8EBB second address: EF8EC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8EC0 second address: EF8ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8ECE second address: EF8ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8ED4 second address: EF8F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FD4D8DCC428h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 pushad 0x00000022 jmp 00007FD4D8DCC431h 0x00000027 sub ebx, dword ptr [ebp+122D3C57h] 0x0000002d popad 0x0000002e push 00000000h 0x00000030 or di, BCBEh 0x00000035 push 011D1742h 0x0000003a js 00007FD4D8DCC440h 0x00000040 xor dword ptr [esp], 011D17C2h 0x00000047 jmp 00007FD4D8DCC432h 0x0000004c push 00000003h 0x0000004e mov edx, dword ptr [ebp+122D3AFBh] 0x00000054 push 00000000h 0x00000056 mov dword ptr [ebp+122D383Eh], edi 0x0000005c push 00000003h 0x0000005e jmp 00007FD4D8DCC42Ch 0x00000063 push 89BDD7C0h 0x00000068 push eax 0x00000069 push edx 0x0000006a push edi 0x0000006b jmp 00007FD4D8DCC430h 0x00000070 pop edi 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8F90 second address: EF8FE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 36422840h 0x00000010 mov ecx, dword ptr [ebp+122D3C57h] 0x00000016 lea ebx, dword ptr [ebp+1245EC31h] 0x0000001c call 00007FD4D8D9C07Bh 0x00000021 adc ecx, 649CDBE7h 0x00000027 pop edx 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FD4D8D9C081h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8FE2 second address: EF8FE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8FE9 second address: EF900F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FD4D8D9C089h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF9101 second address: EF911B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF911B second address: EF913B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 jmp 00007FD4D8D9C07Eh 0x0000000b pop ebx 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF913B second address: EF9141 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0A57F second address: F0A5AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD4D8D9C07Fh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD4D8D9C084h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F19CA6 second address: F19CAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F19CAB second address: F19CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F17C50 second address: F17C70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007FD4D8DCC426h 0x0000000b pop ebx 0x0000000c jbe 00007FD4D8DCC42Ah 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 pop eax 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push ecx 0x0000001a pushad 0x0000001b popad 0x0000001c pop ecx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F17DFE second address: F17E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F17E02 second address: F17E07 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F18075 second address: F18086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jg 00007FD4D8D9C076h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1859A second address: F1859F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F18741 second address: F18750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FD4D8D9C076h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0CB02 second address: F0CB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0CB07 second address: F0CB0C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEBFFE second address: EEC007 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEC007 second address: EEC00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEC00D second address: EEC031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FD4D8DCC437h 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEC031 second address: EEC03B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD4D8D9C076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEC03B second address: EEC03F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F18E73 second address: F18E80 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD4D8D9C076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F18E80 second address: F18E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F19420 second address: F19430 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F19430 second address: F19434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F197F8 second address: F19845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FD4D8D9C07Ah 0x0000000b jmp 00007FD4D8D9C07Ah 0x00000010 jng 00007FD4D8D9C08Ah 0x00000016 popad 0x00000017 pushad 0x00000018 jbe 00007FD4D8D9C085h 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F19845 second address: F1984B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F19B39 second address: F19B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FD4D8D9C076h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F19B46 second address: F19B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DDE9 second address: F1DDF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C07Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEA49E second address: EEA4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2016B second address: F20171 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F202BD second address: F202C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1EC12 second address: F1EC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1F344 second address: F1F34A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1F34A second address: F1F354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FD4D8D9C076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F23DA6 second address: F23DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8DCC434h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F23DBE second address: F23DC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F23DC2 second address: F23DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD4D8DCC426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE89E6 second address: EE8A00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 push ecx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jng 00007FD4D8D9C076h 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE8A00 second address: EE8A0B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F232F0 second address: F232F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F236C0 second address: F236DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8DCC42Ch 0x00000009 popad 0x0000000a jg 00007FD4D8DCC42Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F23941 second address: F23947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F23947 second address: F23958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 jl 00007FD4D8DCC426h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F23AA0 second address: F23AB2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD4D8D9C07Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26F40 second address: F26F44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2716C second address: F27170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27170 second address: F2717B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27658 second address: F2766A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C07Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27C47 second address: F27C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27C4B second address: F27C51 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27C51 second address: F27C56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27C56 second address: F27C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C083h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FD4D8D9C080h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27C83 second address: F27C89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27D7A second address: F27D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F27D80 second address: F27D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F28256 second address: F28271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD4D8D9C083h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F28271 second address: F282AD instructions: 0x00000000 rdtsc 0x00000002 je 00007FD4D8DCC426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FD4D8DCC428h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D30C5h] 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 js 00007FD4D8DCC426h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F282AD second address: F282B7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD4D8D9C076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F29212 second address: F29216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F29216 second address: F29220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FD4D8D9C076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2A3D3 second address: F2A3D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2A3D7 second address: F2A3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2A3DD second address: F2A469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC430h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f ja 00007FD4D8DCC42Ch 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FD4D8DCC428h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 push esi 0x00000032 mov si, cx 0x00000035 pop esi 0x00000036 push 00000000h 0x00000038 mov si, dx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007FD4D8DCC428h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 0000001Dh 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 mov di, 7F82h 0x0000005b sub dword ptr [ebp+1245C93Fh], ecx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jns 00007FD4D8DCC428h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2AEAE second address: F2AEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2AEB4 second address: F2AEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2AEB8 second address: F2AEFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007FD4D8D9C07Eh 0x0000000f jo 00007FD4D8D9C078h 0x00000015 pushad 0x00000016 popad 0x00000017 nop 0x00000018 mov esi, dword ptr [ebp+122D390Fh] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 mov dword ptr [ebp+122D2E39h], ebx 0x00000029 pop edi 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d je 00007FD4D8D9C089h 0x00000033 jmp 00007FD4D8D9C083h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2AEFE second address: F2AF04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2AF04 second address: F2AF2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FD4D8D9C07Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2AF2D second address: F2AF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8DCC42Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2C953 second address: F2C965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 jp 00007FD4D8D9C076h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2DB0F second address: F2DB23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC42Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2D8D3 second address: F2D8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2DB23 second address: F2DB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2E593 second address: F2E5DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D3BE7h] 0x00000013 push 00000000h 0x00000015 mov si, 2CCBh 0x00000019 push 00000000h 0x0000001b mov esi, dword ptr [ebp+122D398Fh] 0x00000021 xchg eax, ebx 0x00000022 jmp 00007FD4D8D9C07Dh 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FD4D8D9C07Bh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2E5DC second address: F2E5E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F33C50 second address: F33C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F33C54 second address: F33CC2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD4D8DCC426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD4D8DCC437h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 movsx edi, di 0x00000016 mov ebx, dword ptr [ebp+122D1C7Eh] 0x0000001c push 00000000h 0x0000001e jnc 00007FD4D8DCC42Ch 0x00000024 push 00000000h 0x00000026 jmp 00007FD4D8DCC42Bh 0x0000002b xchg eax, esi 0x0000002c pushad 0x0000002d push eax 0x0000002e push ebx 0x0000002f pop ebx 0x00000030 pop eax 0x00000031 jmp 00007FD4D8DCC438h 0x00000036 popad 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push edx 0x0000003c pop edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F36BC6 second address: F36BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F36BCA second address: F36BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38A8A second address: F38A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38A8E second address: F38AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FD4D8DCC428h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov ebx, dword ptr [ebp+122D3B97h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007FD4D8DCC428h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 sub edi, 65573290h 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 push ebx 0x00000053 pop ebx 0x00000054 jmp 00007FD4D8DCC42Ch 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38AFD second address: F38B1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F38B1C second address: F38B22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39A60 second address: F39A64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34E77 second address: F34E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F34E7E second address: F34E85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F35D1C second address: F35D21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BA53 second address: F3BA60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3BA60 second address: F3BA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39C9F second address: F39CC9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD4D8D9C07Ch 0x00000008 jc 00007FD4D8D9C076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FD4D8D9C087h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3DB62 second address: F3DB77 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD4D8DCC428h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3DB77 second address: F3DB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD4D8D9C076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37B78 second address: F37B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FD4D8DCC426h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FB8A second address: F3FB8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FB8E second address: F3FB92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FB92 second address: F3FB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3CCB1 second address: F3CCC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jl 00007FD4D8DCC428h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push ecx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3CCC6 second address: F3CCCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3EC27 second address: F3EC2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3EC2D second address: F3EC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FD4D second address: F3FD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8DCC42Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FD5F second address: F3FD6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3FE23 second address: F3FE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42B81 second address: F42B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42B85 second address: F42B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42B89 second address: F42BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push esi 0x0000000a jg 00007FD4D8D9C07Eh 0x00000010 push ebx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDCC05 second address: EDCC19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC42Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDCC19 second address: EDCC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF57E second address: EEF584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF584 second address: EEF5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD4D8D9C07Eh 0x0000000b popad 0x0000000c push ebx 0x0000000d jo 00007FD4D8D9C07Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4649D second address: F464AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC42Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F464AF second address: F464B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F464B4 second address: F464C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8DCC42Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F464C4 second address: F464CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F464CF second address: F464D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE37E6 second address: EE37F7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FD4D8D9C07Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F55110 second address: F55114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F55114 second address: F55136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C086h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FD4D8D9C07Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F55136 second address: F55146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FD4D8DCC432h 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54735 second address: F54739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54739 second address: F5473D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F548B7 second address: F548C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007FD4D8D9C076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F548C3 second address: F548C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F548C7 second address: F548CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F548CD second address: F548DD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD4D8DCC428h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54A54 second address: F54A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54A5A second address: F54A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54A5E second address: F54AB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD4D8D9C088h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jp 00007FD4D8D9C076h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pushad 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007FD4D8D9C080h 0x0000001f jmp 00007FD4D8D9C086h 0x00000024 popad 0x00000025 push ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54C25 second address: F54C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54C29 second address: F54C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54C2D second address: F54C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54C33 second address: F54C5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FD4D8D9C07Ch 0x0000000a jl 00007FD4D8D9C076h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007FD4D8D9C07Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F54C5C second address: F54C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FD4D8DCC42Dh 0x0000000f ja 00007FD4D8DCC426h 0x00000015 jns 00007FD4D8DCC426h 0x0000001b popad 0x0000001c jnc 00007FD4D8DCC439h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDE6E5 second address: EDE6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDE6EB second address: EDE706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD4D8DCC42Ch 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jno 00007FD4D8DCC426h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5D806 second address: F5D80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5D80A second address: F5D82C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC42Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e jo 00007FD4D8DCC426h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5D82C second address: F5D841 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FD4D8D9C076h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5D841 second address: F5D847 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDB0D0 second address: EDB0F5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD4D8D9C076h 0x00000008 jmp 00007FD4D8D9C088h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDB0F5 second address: EDB0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDB0FA second address: EDB0FF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDB0FF second address: EDB10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD4D8DCC426h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDB10E second address: EDB120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C07Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65CC7 second address: F65CDF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FD4D8DCC42Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F65CDF second address: F65CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66275 second address: F66280 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66817 second address: F6681F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6681F second address: F66852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC430h 0x00000007 pushad 0x00000008 jns 00007FD4D8DCC426h 0x0000000e jns 00007FD4D8DCC426h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD4D8DCC42Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66852 second address: F66863 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD4D8D9C07Ah 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66863 second address: F66878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8DCC42Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F669E8 second address: F66A19 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD4D8D9C076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD4D8D9C07Ch 0x0000000f jmp 00007FD4D8D9C085h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66A19 second address: F66A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66A1F second address: F66A52 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD4D8D9C076h 0x00000008 jmp 00007FD4D8D9C083h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD4D8D9C084h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66BA1 second address: F66BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66D39 second address: F66D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD4D8D9C076h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FD4D8D9C081h 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jp 00007FD4D8D9C076h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F66EE9 second address: F66EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD4D8DCC426h 0x0000000a pop esi 0x0000000b push ebx 0x0000000c jo 00007FD4D8DCC42Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6AFE3 second address: F6AFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6B609 second address: F6B62C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FD4D8DCC42Bh 0x0000000d popad 0x0000000e jc 00007FD4D8DCC434h 0x00000014 push edi 0x00000015 je 00007FD4D8DCC426h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BB7A second address: F6BB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BB80 second address: F6BB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD4D8DCC428h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BCFC second address: F6BD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C085h 0x00000009 je 00007FD4D8D9C076h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BD1E second address: F6BD3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD4D8DCC435h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BFB4 second address: F6BFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jo 00007FD4D8D9C076h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6BFC3 second address: F6BFDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD4D8DCC42Fh 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F7E9 second address: F6F7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C07Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6F7FA second address: F6F816 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD4D8DCC426h 0x00000008 jmp 00007FD4D8DCC432h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F25A33 second address: F25A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8D9C07Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F25A45 second address: F25A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F25A49 second address: F0CB02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD4D8D9C07Bh 0x0000000e nop 0x0000000f sub dword ptr [ebp+1245ED37h], esi 0x00000015 lea eax, dword ptr [ebp+1248B7CBh] 0x0000001b mov di, 45E2h 0x0000001f push eax 0x00000020 jmp 00007FD4D8D9C07Ah 0x00000025 mov dword ptr [esp], eax 0x00000028 push edi 0x00000029 push ebx 0x0000002a call 00007FD4D8D9C07Dh 0x0000002f pop edi 0x00000030 pop ecx 0x00000031 pop edx 0x00000032 call dword ptr [ebp+122D311Bh] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2629A second address: F2629E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2629E second address: F262A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F262A4 second address: F262CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD4D8DCC436h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jns 00007FD4D8DCC42Eh 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26537 second address: F2653C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2653C second address: F26542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F268D1 second address: F268D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26A4B second address: F26A58 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD4D8DCC426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F26B8F second address: F26B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0D5EE second address: F0D604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jmp 00007FD4D8DCC42Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0D604 second address: F0D60F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FD4D8D9C076h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F75FDC second address: F75FF7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD4D8DCC432h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F75FF7 second address: F76003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F76003 second address: F76007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C33D second address: F7C348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C348 second address: F7C364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD4D8DCC42Ah 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FD4D8DCC426h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7C364 second address: F7C368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AE35 second address: F7AE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AE3B second address: F7AE5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C083h 0x00000009 popad 0x0000000a jg 00007FD4D8D9C078h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AFAD second address: F7AFB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7B567 second address: F7B56D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7B955 second address: F7B95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7B95D second address: F7B969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD4D8D9C076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7BB1A second address: F7BB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7AB78 second address: F7ABA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FD4D8D9C084h 0x0000000f je 00007FD4D8D9C076h 0x00000015 popad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F804EF second address: F804F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F804F3 second address: F804F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F804F7 second address: F80529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD4D8DCC432h 0x0000000d jmp 00007FD4D8DCC438h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FD80 second address: F7FDD5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD4D8D9C076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD4D8D9C07Dh 0x0000000f push eax 0x00000010 jmp 00007FD4D8D9C083h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop eax 0x00000018 popad 0x00000019 pushad 0x0000001a jnl 00007FD4D8D9C090h 0x00000020 push ebx 0x00000021 push esi 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F7FDD5 second address: F7FDDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80069 second address: F80073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80073 second address: F80077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80077 second address: F8007D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8007D second address: F80082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80082 second address: F80088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F80088 second address: F80090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8246B second address: F8246F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F825DD second address: F825E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F825E5 second address: F825FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD4D8D9C080h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F825FA second address: F82604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FD4D8DCC426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F84E27 second address: F84E2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88ACB second address: F88ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88ACF second address: F88AD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88AD5 second address: F88AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD4D8DCC437h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F87F66 second address: F87FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C07Ah 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FD4D8D9C084h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FD4D8D9C082h 0x0000001b popad 0x0000001c pushad 0x0000001d jno 00007FD4D8D9C076h 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F880FB second address: F880FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F880FF second address: F8813B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD4D8D9C076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD4D8D9C087h 0x0000000f jne 00007FD4D8D9C088h 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F883C1 second address: F883E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FD4D8DCC434h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F883E2 second address: F88407 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C07Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD4D8D9C085h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88543 second address: F88560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FD4D8DCC435h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F88560 second address: F88570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD4D8D9C07Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F886F4 second address: F886F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E081 second address: F8E0A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C07Ch 0x00000007 jmp 00007FD4D8D9C07Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FD4D8D9C078h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E0A9 second address: F8E0CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC434h 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jl 00007FD4D8DCC426h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8CCDC second address: F8CCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8CCE0 second address: F8CD00 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD4D8DCC426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD4D8DCC432h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8CF96 second address: F8CFA2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD4D8D9C076h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D275 second address: F8D29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FD4D8DCC437h 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FD4D8DCC426h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8D411 second address: F8D42F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD4D8D9C089h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8F76A second address: F8F76E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F929AC second address: F929C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C080h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F929C0 second address: F929DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC432h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F929DC second address: F929E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F95203 second address: F95207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A2E7 second address: F9A2EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A2EF second address: F9A2F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A2F5 second address: F9A320 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD4D8D9C076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD4D8D9C084h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A477 second address: F9A47F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A47F second address: F9A483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9A483 second address: F9A4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8DCC438h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9AA6C second address: F9AA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD4D8D9C076h 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9ACD8 second address: F9ACE3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FD4D8DCC426h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9ACE3 second address: F9ACF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jbe 00007FD4D8D9C076h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9ACF1 second address: F9ACF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9B2EA second address: F9B321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FD4D8D9C080h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD4D8D9C07Fh 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007FD4D8D9C078h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9B321 second address: F9B33D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8DCC438h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9B33D second address: F9B368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C084h 0x00000007 jmp 00007FD4D8D9C083h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9B8DF second address: F9B8FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD4D8DCC42Bh 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FD4D8DCC426h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9B8FA second address: F9B8FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9BB99 second address: F9BBB6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD4D8DCC42Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD4D8DCC42Bh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9BE9A second address: F9BEAD instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD4D8D9C076h 0x00000008 jbe 00007FD4D8D9C076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0573 second address: FA0577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0ADC second address: FA0B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD4D8D9C076h 0x0000000a pop eax 0x0000000b jmp 00007FD4D8D9C085h 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007FD4D8D9C076h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0B0E second address: FA0B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0C3D second address: FA0C4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push ecx 0x00000008 je 00007FD4D8D9C07Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0EEC second address: FA0EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA0EF0 second address: FA0F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007FD4D8D9C076h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA1094 second address: FA10A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8DCC42Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA10A4 second address: FA10A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA10A8 second address: FA10C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD4D8DCC42Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA58BE second address: FA58C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA58C2 second address: FA58D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FD4D8DCC426h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA58D0 second address: FA58DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA58DA second address: FA58E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA58E0 second address: FA58E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA58E4 second address: FA5918 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD4D8DCC426h 0x00000008 jmp 00007FD4D8DCC42Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FD4D8DCC436h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA5918 second address: FA591E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA591E second address: FA5941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD4D8DCC426h 0x0000000a popad 0x0000000b jnc 00007FD4D8DCC438h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC418 second address: FAC43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push edi 0x00000007 pushad 0x00000008 jmp 00007FD4D8D9C088h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC43A second address: FAC440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC594 second address: FAC598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC598 second address: FAC59C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC59C second address: FAC5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC6E6 second address: FAC6F0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD4D8DCC432h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAC6F0 second address: FAC6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FACC1A second address: FACC2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC42Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FACC2C second address: FACC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FADA0B second address: FADA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FD4D8DCC42Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FADA21 second address: FADA6C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD4D8D9C09Ch 0x00000008 jmp 00007FD4D8D9C080h 0x0000000d jmp 00007FD4D8D9C086h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jmp 00007FD4D8D9C089h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FADA6C second address: FADA70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FABA08 second address: FABA0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE01D7 second address: EE01E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FD4D8DCC426h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE01E2 second address: EE01EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE01EA second address: EE022D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FD4D8DCC42Ch 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FD4D8DCC433h 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007FD4D8DCC431h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE022D second address: EE0238 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FD4D8D9C076h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE0238 second address: EE0240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFB82 second address: FBFB91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C07Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3A59 second address: FC3A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3A5D second address: FC3A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3A63 second address: FC3A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3A6F second address: FC3AAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C086h 0x00000007 jmp 00007FD4D8D9C07Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FD4D8D9C081h 0x00000013 pushad 0x00000014 ja 00007FD4D8D9C076h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC360F second address: FC3615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC3615 second address: FC3619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9787 second address: FC9796 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD4D8DCC426h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC9796 second address: FC979C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC979C second address: FC97C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 jmp 00007FD4D8DCC438h 0x0000000b pop ebx 0x0000000c popad 0x0000000d push ebx 0x0000000e jo 00007FD4D8DCC428h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FC84B6 second address: FC84BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD1294 second address: FD129E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD4D8DCC426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD129E second address: FD12D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD4D8D9C080h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FD4D8D9C086h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD12D0 second address: FD12D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD12D4 second address: FD12E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD12E1 second address: FD12F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jnl 00007FD4D8DCC426h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7A41 second address: FD7A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7A45 second address: FD7A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007FD4D8DCC432h 0x0000000d push ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7A64 second address: FD7A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7D3E second address: FD7D54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8DCC432h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7D54 second address: FD7D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C07Bh 0x00000007 jnp 00007FD4D8D9C076h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FD4D8D9C083h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD4D8D9C082h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD80A2 second address: FD80B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FD4D8DCC42Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD80B5 second address: FD80C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FD4D8D9C076h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8228 second address: FD8231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8231 second address: FD8237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD8237 second address: FD823B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD823B second address: FD823F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDB293 second address: FDB29F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FD4D8DCC426h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDB29F second address: FDB2A9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD4D8D9C076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDB2A9 second address: FDB2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDDC23 second address: FDDC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDDC2C second address: FDDC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDDD93 second address: FDDD99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDDD99 second address: FDDD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDDD9D second address: FDDDC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C07Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD4D8D9C084h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDDDC5 second address: FDDDF7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD4D8DCC426h 0x00000008 jmp 00007FD4D8DCC439h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push eax 0x00000013 jng 00007FD4D8DCC426h 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDDDF7 second address: FDDDFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE909D second address: FE90A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF698D second address: FF69B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8D9C07Bh 0x00000009 popad 0x0000000a jmp 00007FD4D8D9C080h 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF69B3 second address: FF69BD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD4D8DCC426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF3B6 second address: FFF3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD4D8D9C076h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FD4D8D9C076h 0x00000015 jmp 00007FD4D8D9C087h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDE6F7 second address: EDE706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jno 00007FD4D8DCC426h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF7A5 second address: FFF7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF7AB second address: FFF7B3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF7B3 second address: FFF7D9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD4D8D9C07Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007FD4D8D9C076h 0x00000015 popad 0x00000016 jg 00007FD4D8D9C07Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF7D9 second address: FFF7E3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD4D8DCC42Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF7E3 second address: FFF7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FD4D8D9C07Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFFC0A second address: FFFC14 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD4D8DCC42Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1001687 second address: 10016B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8D9C082h 0x00000007 jmp 00007FD4D8D9C086h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10016B8 second address: 10016D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD4D8DCC438h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10016D7 second address: 10016F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD4D8D9C088h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10016F3 second address: 1001701 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD4D8DCC426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1001701 second address: 1001707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1001707 second address: 100170D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1002E88 second address: 1002E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1002E8E second address: 1002E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1002E93 second address: 1002ED3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD4D8D9C07Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007FD4D8D9C07Ah 0x00000011 push edi 0x00000012 pop edi 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007FD4D8D9C084h 0x0000001a pushad 0x0000001b jmp 00007FD4D8D9C07Ah 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1002ED3 second address: 1002EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1002EDB second address: 1002EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1006165 second address: 1006195 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC438h 0x00000007 jmp 00007FD4D8DCC431h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1005BEC second address: 1005BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1005BF0 second address: 1005C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD4D8DCC42Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100C6D2 second address: 100C6E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FD4D8D9C07Ch 0x00000010 jc 00007FD4D8D9C076h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100FEBA second address: 100FED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD4D8DCC426h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d jmp 00007FD4D8DCC42Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100707F second address: 1007083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1007083 second address: 10070AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD4D8DCC432h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD4D8DCC430h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10070AF second address: 10070B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10070B3 second address: 10070BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10070BD second address: 10070C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1005E9E second address: 1005EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1005EA2 second address: 1005EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F29E49 second address: F29E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2A215 second address: F2A219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D6DDFE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F20207 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F1EA0E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D6DD0A instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4900000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF91BA rdtsc

0_2_00EF91BA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F0B604 sidt fword ptr [esp-02h]

0_2_00F0B604

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7428

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EF91BA rdtsc

0_2_00EF91BA

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D6B79E LdrInitializeThunk,

0_2_00D6B79E

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: =lProgram Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F4EF1B GetSystemTime,GetFileTime,

0_2_00F4EF1B

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	271 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	271 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	50%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544237
Start date and time:	2024-10-29 05:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.493835301781505
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'838'528 bytes
MD5:	473c91c8363cf492cf6192686e4aeae8
SHA1:	4f56b6e25bbf8bb424a3fbb398040d980850a046
SHA256:	265c128a8a9421847dea2121ae5ce79efb601616c4fd060ff9863f4c2c498c2f
SHA512:	09cebc8843d1f3aacc502af0e55736e24d7675ded01c7e402820cefda513d4826a7e91167cc548a1b356bf58defeaf3a456f08e24bc42d6b560382e351d73c12
SSDEEP:	49152:hB7Lsq3Y5sVCMfyPfrUF8gHZrOCOox7SkPFA:hB3sGYkCOyPfru5rEoxW4FA
TLSH:	C0D54B96B94572CFD48E17B48427CD87591C42B94B2108C7A86CB4BEBF67EC122BFC25
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ........................,......h+...`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6bc000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD4D8D0067Ah
ucomiss xmm5, dqword ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	8c2d55778105ef17ccbdb9f6e2b2a06f	False	0.9338107638888888	data	7.808125394250483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bbzqfojp	0xa000	0x2b0000	0x2af000	f23ee005ad453ae2faa65d42f77c950e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ynvwdqnr	0x2ba000	0x2000	0x400	424fc4f14c0d52d5a0d3d976ecfabee2	False	0.728515625	data	5.75923506799732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2bc000	0x4000	0x2200	e6ed33c3d65263b5cdc36d825c591ec5	False	0.05801930147058824	DOS executable (COM)	0.6635176664795832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	00:01:57
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd60000
File size:	2'838'528 bytes
MD5 hash:	473C91C8363CF492CF6192686E4AEAE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	3.5%
Signature Coverage:	1.5%
Total number of Nodes:	341
Total number of Limit Nodes:	16

Executed Functions

Function 00EF91BA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00EF91C0

Strings

C, xrefs: 00EF9234

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: 30803a9bba2927f9fd7545e8688d2b4af72ea1ad680a18db4108f2f950ef4721
Instruction ID: 62b4ef86013892245a0ebfadb5bec9e6d9188d16681744244ab4d54ddde9e620
Opcode Fuzzy Hash: 30803a9bba2927f9fd7545e8688d2b4af72ea1ad680a18db4108f2f950ef4721
Instruction Fuzzy Hash: F811297220825EBDFB149F25FC507FF3798EBD5315B70902AFAC5E6513D2254D019A28

Function 00D6B79E Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

!!iH, xrefs: 00D6B90E

Memory Dump Source

Source File: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: !!iH
API String ID: 0-3430752988
Opcode ID: e404b68e764ee4fe848ca8e7b9373d9d418192bb8907214d3b60954e6114a3d3
Instruction ID: 8cb698c5fe43bab2269d52851e6aef65b29956356951d9f47ac363bce316eda4
Opcode Fuzzy Hash: e404b68e764ee4fe848ca8e7b9373d9d418192bb8907214d3b60954e6114a3d3
Instruction Fuzzy Hash: 15E0C2322449898BDB1A9F64880175D3B0DDB40720F904217FA51DBE49CB2D4D518B75

Function 00F4C4A1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 00F4C5B2
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00F4C5C6

Strings

.dll, xrefs: 00F4C4E9
1002, xrefs: 00F4C57C
.exe, xrefs: 00F4C50D

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: 6e0f6f6594ef15d2efafca4f3238af3048b45dd8c8102dc1e78085fbd3988da2
Instruction ID: 1f1e0a429987b4b3d817996bc7eab9916d50ee616cd0e28c699f2fea5b460766
Opcode Fuzzy Hash: 6e0f6f6594ef15d2efafca4f3238af3048b45dd8c8102dc1e78085fbd3988da2
Instruction Fuzzy Hash: 4A318B72802209EFCF61AF54D900AAE7F75FF04321F14A155FE0196161D730AAA0FBE1

Function 00F4C9A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00F4C939,?,00000000,00000000), ref: 00F4CA64
GetModuleHandleA.KERNEL32(00000000,?,?,?,00F4C939,?,00000000,00000000), ref: 00F4CA72

Strings

.dll, xrefs: 00F4C9DA

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: ebef7399265695470a19adb2060935dea92424f7f06adb8bd7071ba154e382ca
Instruction ID: ebb94822f04a1fdd53ae9e101c61674a48c966328a0d26c3f8f82909ebcb00f4
Opcode Fuzzy Hash: ebef7399265695470a19adb2060935dea92424f7f06adb8bd7071ba154e382ca
Instruction Fuzzy Hash: 2F113C3150660DEBEBB0DF61C8187A97F70BF01399F04A226AD05548E0D7BD99E4FAD2

Function 00F4F301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00796FAC,-11565FEC), ref: 00F4F37A
GetFileAttributesA.KERNEL32(00000000,-11565FEC), ref: 00F4F388

Strings

@, xrefs: 00F4F32D

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 5da3815f3c7ee91d6bf2a5b35ad5221ae9d4374ab510228c100822a41dc727f8
Instruction ID: 63110aa05acfb06be03d3ad50aadd520ea2960e209ce16599cb5e8a3321f57a3
Opcode Fuzzy Hash: 5da3815f3c7ee91d6bf2a5b35ad5221ae9d4374ab510228c100822a41dc727f8
Instruction Fuzzy Hash: 8C01D131504208FBEB20DF54D909BADBE70BF40345F104135ED0A650A1C7789A99FB00

Function 00F4C774 Relevance: 4.6, APIs: 3, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F4ADCE: GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Part of subcall function 00F4ADCE: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

GetModuleFileNameA.KERNEL32(00000000,?,0000028B,-11565FEC,00000000,?), ref: 00F4C7B4
GetFullPathNameA.KERNEL32(?,0000028B,?,00000000,-11565FEC,?), ref: 00F4C804
GetModuleFileNameA.KERNEL32(?,?,?,?), ref: 00F4C87D

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: Name$FileModule$CurrentFullPathSleepThread
String ID:
API String ID: 90702387-0
Opcode ID: 0ed051ced67f10be75c88da400698d3b09036beb84bb61679636a5fb74a07702
Instruction ID: 7bef713297981721a1d3d6c64d375f123eea852b977a62bdbefb246da1bcd922
Opcode Fuzzy Hash: 0ed051ced67f10be75c88da400698d3b09036beb84bb61679636a5fb74a07702
Instruction Fuzzy Hash: 2D315C72A0124AEFEB61DF64CC88F9ABFB4FF45341F105194F90696150C7705991EFA1

Function 00F02E8C Relevance: 4.6, APIs: 3, Instructions: 78
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00F068E6
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00F0690D
GetNativeSystemInfo.KERNELBASE(?), ref: 00F06964

Memory Dump Source

Source File: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: e640548f7210ecea793ec1c35a5930a3d5ecd17de2289438ea2e392bf770d754
Instruction ID: c58d5a094648848d219479b49a1e12b7d998419f21238dcaf24c783346cc2cb2
Opcode Fuzzy Hash: e640548f7210ecea793ec1c35a5930a3d5ecd17de2289438ea2e392bf770d754
Instruction Fuzzy Hash: BC31F9B290420EDFEF15DF24C888BEF3AA5EF04315F100426E945C6980E7B65DA8EF59

Function 00EF8E45 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00EF8E8A

Strings

C, xrefs: 00EF9234

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: ed749c4605fde718d32bff215c1549dd485eb74871428ff03481369f8548cf54
Instruction ID: 35805e4966881474e0e4995b6a909a75ef7619182f3758c5880fbc90b5545230
Opcode Fuzzy Hash: ed749c4605fde718d32bff215c1549dd485eb74871428ff03481369f8548cf54
Instruction Fuzzy Hash: 0B3107B710C2597DF7018E61BE10AFF7BADE9D2330730906BF982D6413D2650D495631

Function 00EF8FC7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00EF9027

Strings

C, xrefs: 00EF9234

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: b3faeaa6eeed1dd233edd1f697fb6d6a5c99139d4fa4a8fb0a4242940acd8d83
Instruction ID: 07e3433485009f7f77b84ba4b8ca757b818aff6624bd68069adaafac2505dd4f
Opcode Fuzzy Hash: b3faeaa6eeed1dd233edd1f697fb6d6a5c99139d4fa4a8fb0a4242940acd8d83
Instruction Fuzzy Hash: B32131B220C26E7CF7018E21BD60BFE37ADEAE6330730A02AF982E6053D6554D495534

Function 00F4B381 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 00F4B3E3

Strings

\\?\, xrefs: 00F4B43E

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: e127de9b3995de84e7bbe567394b28fa470f06f13e6a9be16b1b4839cb9978b6
Instruction ID: f847c58ee0b18be3f72925a07d754d782ba46d059234fe7136d359f5af70a1f0
Opcode Fuzzy Hash: e127de9b3995de84e7bbe567394b28fa470f06f13e6a9be16b1b4839cb9978b6
Instruction Fuzzy Hash: 7131F435A0020ABFEF26DF94CC09B9EBE7AAF44351F001564BE01A50A3D776DA65EB50

Function 00F4CA90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F4ADCE: GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Part of subcall function 00F4ADCE: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00F4CAF4

Strings

.dll, xrefs: 00F4CAB1

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CurrentHandleModuleSleepThread
String ID: .dll
API String ID: 683542999-2738580789
Opcode ID: 001a9703c3686ecf6ffba8d1e283c45a27dbe446b49939ec86fbf8579e56461f
Instruction ID: 2a3b7862c85d0e8221766f4da8da8c4e69223f5256e46706a34227a775f59ff2
Opcode Fuzzy Hash: 001a9703c3686ecf6ffba8d1e283c45a27dbe446b49939ec86fbf8579e56461f
Instruction Fuzzy Hash: 91F09A72640208AFDF60EF64DC46BAA3FA5FF08350F108111FE158A162D739C8A0FAA1

Function 00F4F51D Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00796FAC,?,?,-11565FEC,?,?,?,-11565FEC,?), ref: 00F4F5CF

Part of subcall function 00F4F4CF: IsBadWritePtr.KERNEL32(?,00000004), ref: 00F4F4DD

CreateFileA.KERNEL32(?,?,?,-11565FEC,?,?,?,-11565FEC,?), ref: 00F4F5EF

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: 24ae78a87fbaf4550aa7f60ee613d66ff6a4493508ffb9215387471eb459151d
Instruction ID: 5c570f49d7e73da629cc0049f01a553abbc3c831db3fb15624bff9c16e5c714e
Opcode Fuzzy Hash: 24ae78a87fbaf4550aa7f60ee613d66ff6a4493508ffb9215387471eb459151d
Instruction Fuzzy Hash: 6B11D37240410AFBDF12AFA0DD09B9A3E72BF04355F184025BD19644B1DB7ACABAFB51

Function 00F4EE89 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F4ADCE: GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Part of subcall function 00F4ADCE: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

GetCurrentProcess.KERNEL32(-11565FEC), ref: 00F4EE96
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F4EEFC

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessSleepThread
String ID:
API String ID: 2846201637-0
Opcode ID: ba8f0aab26549dd618a3c14c4b423096dae45a37d38cf729524214c118efb274
Instruction ID: d95f220f2e43439a938528b41772b33aa3268652802d5c8ccd3a9725f3309c13
Opcode Fuzzy Hash: ba8f0aab26549dd618a3c14c4b423096dae45a37d38cf729524214c118efb274
Instruction Fuzzy Hash: 9201F67254004ABB8F12AFA8DC49DAE3F7ABF883647014615FE5494020C73AC4A2FB62

Function 00F4C8AE Relevance: 3.0, APIs: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F4AEAC: RtlAllocateHeap.NTDLL(00000000,00000000,00F4AB55,?,?,00F4AB55,00000008), ref: 00F4AEC6

GetModuleFileNameW.KERNEL32(?,?,?,-11565FEC,?,00000000,?,?), ref: 00F4C8F4
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,-11565FEC,?,00000000,?,?), ref: 00F4C913

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocateByteCharFileHeapModuleMultiNameWide
String ID:
API String ID: 1823253148-0
Opcode ID: 8ed6093c06488385f4a65223caa003ba129237571cb0d3af5ad798b0424c76c2
Instruction ID: 2d052988046a9a7f727dfe82b354f2dba82aa308b2bbcc211b57474c86132891
Opcode Fuzzy Hash: 8ed6093c06488385f4a65223caa003ba129237571cb0d3af5ad798b0424c76c2
Instruction Fuzzy Hash: AB01D632A0124AFFDF129F95CC04B9E7F71FF84320F109564F921561A0CB358A61BB50

Function 00F4ADCE Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: 456bd493506aa6e21d46f88dbc36e14d85336cd64032cd75ea4a14dad78522ed
Instruction ID: 241d204e4c2418964424284d4eac12ff31f8d862f8a879c7d84c68c3cc30a190
Opcode Fuzzy Hash: 456bd493506aa6e21d46f88dbc36e14d85336cd64032cd75ea4a14dad78522ed
Instruction Fuzzy Hash: 66F05932902106EBC7218F61C8887AE7BB4FF4132AF20003AD603810C0C3B55D95EE82

Function 00F4D508 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00F4D5BD

Part of subcall function 00F4AEAC: RtlAllocateHeap.NTDLL(00000000,00000000,00F4AB55,?,?,00F4AB55,00000008), ref: 00F4AEC6

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocateCreateFileHeap
String ID:
API String ID: 3125202945-0
Opcode ID: 0756fa242576a0272d7c653db4e117f74643aa4a50ac31fb7ab78e33bd4fff16
Instruction ID: fca18eeb0b7c2030ef53405de31207821a8280c2a8916e50b1d1c451931e9635
Opcode Fuzzy Hash: 0756fa242576a0272d7c653db4e117f74643aa4a50ac31fb7ab78e33bd4fff16
Instruction Fuzzy Hash: B131A071900208BFEB209FA5DC45F9EBFB8FF44324F208269FD15AA191D7759951EB10

Function 00EF5321 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00EF5321

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e0b3edd2830d55c86c11a5789cc9d9179b34231dc1d55b524566173b8b6b302
Instruction ID: 2549ff2cf3c786e311d434c11016fdd2065b97ce30a421d4a1897931f33a8ef2
Opcode Fuzzy Hash: 6e0b3edd2830d55c86c11a5789cc9d9179b34231dc1d55b524566173b8b6b302
Instruction Fuzzy Hash: 6F3123B290C310EFE305AF19D8816BEFBE4EF89360F16482DE6C597610D73584808B97

Function 00F4CD24 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4AEAC: RtlAllocateHeap.NTDLL(00000000,00000000,00F4AB55,?,?,00F4AB55,00000008), ref: 00F4AEC6

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00F4CDA6

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocateCreateFileHeap
String ID:
API String ID: 3125202945-0
Opcode ID: 42169aae207b4ec83d8321d3fb62a9fd5518055bff050ac88150fdd64d546355
Instruction ID: a4898786ff1b720ba364bf34b216288e9136e0eb682c7ac0ffde8b18ce04a973
Opcode Fuzzy Hash: 42169aae207b4ec83d8321d3fb62a9fd5518055bff050ac88150fdd64d546355
Instruction Fuzzy Hash: D531E171A00205BBEB209F64EC45F997FB8FF04724F20426AFA10FA1D1C3B1A5419B90

Function 00EF8E70 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00EF8E8A

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 512d4017f0b636813bd64bc0fdeeda06cc2c406921f58b201ef935f4c6044a54
Instruction ID: c85cfde1f9f5282aaf3cf74e04ed95bc5e7036574b40dc98207afdbd26a1cdd6
Opcode Fuzzy Hash: 512d4017f0b636813bd64bc0fdeeda06cc2c406921f58b201ef935f4c6044a54
Instruction Fuzzy Hash: A7F044FB24C1583DF6208A626F24AFAB76DEAC2730B30942AF802D1842D2900E8D1631

Function 049A0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 049A0DCD

Memory Dump Source

Source File: 00000000.00000002.1827951213.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49a0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: d60caa506a212fcebf705e5c85caa1ca104eeaa3bea285c00f36a3123d293dac
Instruction ID: cb860a3b35627008aad2f055330950280d48d05624fa454a2480de6ee0987d6e
Opcode Fuzzy Hash: d60caa506a212fcebf705e5c85caa1ca104eeaa3bea285c00f36a3123d293dac
Instruction Fuzzy Hash: 062115B6C013189FCB50CF99D884ADEFBF4FB88310F15812AD908AB245D774A554CBA4

Function 049A0D43 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 049A0DCD

Memory Dump Source

Source File: 00000000.00000002.1827951213.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49a0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 2fa07649cead7aad36f8be5831296a33df27343f7896c20ecf6a4c67f536198f
Instruction ID: 35852667a02e5845159be86adb11bca89c2da76ee0636e7ceaafb80cf3083d01
Opcode Fuzzy Hash: 2fa07649cead7aad36f8be5831296a33df27343f7896c20ecf6a4c67f536198f
Instruction Fuzzy Hash: C32127B6C013198FCB44CFA9D884BDEFBF5FB88310F15816AD909AB245C734A555CBA4

Function 00EF8F01 Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00EF8E8A

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 77d2258c155dfad51a69c11e917780cd570f2f8a66293307f9fa031d20723406
Instruction ID: 5f49f1c4980e5b0b8bc7d32b8f0b1bd369f2d046e912c67000c18718b11baceb
Opcode Fuzzy Hash: 77d2258c155dfad51a69c11e917780cd570f2f8a66293307f9fa031d20723406
Instruction Fuzzy Hash: 86F0F0AB54C1943CF21286322E20BFF7B6CEAD373473894AFF881D1403C2410E4A8236

Function 049A1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 049A1580

Memory Dump Source

Source File: 00000000.00000002.1827951213.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49a0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 02d34abc22fb6c7f71dbd31e09c5712657b890dcb7a7f37f7431e0de90f58f53
Instruction ID: 84c2cb5b9b6e20ef76f56f22f438acf5c35da63c59aeeceabb8d7b2122a3795c
Opcode Fuzzy Hash: 02d34abc22fb6c7f71dbd31e09c5712657b890dcb7a7f37f7431e0de90f58f53
Instruction Fuzzy Hash: C611E4B19003499FDB10CF9AC585BDEFBF4EB48320F14802AE559A3250D778A644CFA5

Function 049A1509 Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 049A1580

Memory Dump Source

Source File: 00000000.00000002.1827951213.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49a0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: e2cc0839a75b3af70d7eef02b01dbf4f84efb0f322ca386df2f43103001ded81
Instruction ID: 9ba059c76350ee66db0a1e0d757c2a42b28923143329ab4e8358b20a61acb85b
Opcode Fuzzy Hash: e2cc0839a75b3af70d7eef02b01dbf4f84efb0f322ca386df2f43103001ded81
Instruction Fuzzy Hash: 592112B59003498FDB10CFAAC584BDEFBF4EB48320F14842AE959A7250C778A654CFA5

Function 00F50055 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4ADCE: GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Part of subcall function 00F4ADCE: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11565FEC), ref: 00F500DC

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CurrentFileSleepThreadView
String ID:
API String ID: 2270672837-0
Opcode ID: e6c5904bb06f9d884718875f9cde0882f2bbc596469cbde3e46d9673ec804b62
Instruction ID: 94c08209981ca64d40dd99135ad685861f9c242b2ed4a696ad3f9e31682c16c7
Opcode Fuzzy Hash: e6c5904bb06f9d884718875f9cde0882f2bbc596469cbde3e46d9673ec804b62
Instruction Fuzzy Hash: 4011A57254410AEFCF22AFA4DD05E9B3E66AF49352B004521FF1155061CB3AC4BAFBA1

Function 00F4FE3D Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: 0fb0dd9add96564c8cafd6d5ccc1ef4aa45d6649ca51d96a081e75b3ff727339
Instruction ID: e901259d23a08bf50d46c251fc2a41ff3ed09c8ef3ea823c0cf2a92a45658d20
Opcode Fuzzy Hash: 0fb0dd9add96564c8cafd6d5ccc1ef4aa45d6649ca51d96a081e75b3ff727339
Instruction Fuzzy Hash: 60115B7290020AFBCF12AFA4DD09E9E3FB5AF44305F004421BD0955076C779C9A9FB61

Function 049A1301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 049A1367

Memory Dump Source

Source File: 00000000.00000002.1827951213.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49a0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 933ad3d9bcb5a17439b6428fd93ad71f217588c9b6daa3c37a8f72ac2c0d8aef
Instruction ID: 83d75c9508d96bf3f053e317b3794f75b3764dae71f2ce902656c2261e12d328
Opcode Fuzzy Hash: 933ad3d9bcb5a17439b6428fd93ad71f217588c9b6daa3c37a8f72ac2c0d8aef
Instruction Fuzzy Hash: BA1125B1800249CFDB10CF9AC485BDEFBF4EF48320F14842AD558A3250D778A544CFA5

Function 049A1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 049A1367

Memory Dump Source

Source File: 00000000.00000002.1827951213.00000000049A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_49a0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 2d877389a455ba98f4a2b5f14eedd2631a779e08eab3d7ad0f7add22ff022cfa
Instruction ID: 0a585f1364093ffe05141ef1d6ea864e20cf2ccf5fbcb3d36181239a7f6870e9
Opcode Fuzzy Hash: 2d877389a455ba98f4a2b5f14eedd2631a779e08eab3d7ad0f7add22ff022cfa
Instruction Fuzzy Hash: 931103B1800349CFDB10DF9AC945BDEFBF8EB48320F24846AD559A3650D778A944CFA5

Function 00F4F721 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4ADCE: GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Part of subcall function 00F4ADCE: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11565FEC,?,?,00F4D450,?,?,00000400,?,00000000,?,00000000), ref: 00F4F78D

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CurrentFileReadSleepThread
String ID:
API String ID: 1253362762-0
Opcode ID: 35bc9e3f4ebbcbdb6dc0eeebf4385a302cb57125e4afc21a3b72be00a600ddb3
Instruction ID: 4db286a8ee4bf5f3e9c84bc7a71d0f5deab56e28879793657c043d941efb22b1
Opcode Fuzzy Hash: 35bc9e3f4ebbcbdb6dc0eeebf4385a302cb57125e4afc21a3b72be00a600ddb3
Instruction Fuzzy Hash: 43F0C47664010ABBDF125FA4DC09E9E3FB6AF44350B045421FE1999021C73AC8A5FBA2

Function 00EF8FD7 Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00EF9027

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ef186a5b6b85af6684839789d9b792a49fd340f80b509fbd2882422e0b6a8fc3
Instruction ID: 5cb224a338f45cfc194f69e3b5bc35f8041f47382b2dc2dccf625eb1d1685773
Opcode Fuzzy Hash: ef186a5b6b85af6684839789d9b792a49fd340f80b509fbd2882422e0b6a8fc3
Instruction Fuzzy Hash: 06E02BB224C29A3CF71A8A641D60FBE379DD7D7370F30515AF842D50C7DE9448855160

Function 00EF8F85 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00EF9027

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 84101429561e3001be356e41beca675625e06e0dcde3c97dbfc637a1cf1ca7f5
Instruction ID: 2a88c910b9a3af0215529b083fbb5b6dc7036e03dabb1e146193f83f9f5a0138
Opcode Fuzzy Hash: 84101429561e3001be356e41beca675625e06e0dcde3c97dbfc637a1cf1ca7f5
Instruction Fuzzy Hash: B2F0F67230C24D6DDB15DB248B51B7E3B66EE82744B0458ACD982AB843CA514C549A5D

Function 00F4C704 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00F4BEBA,00F4BEBA), ref: 00F4C74F

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 14d5a4c9f542ab251303b0efb2cab6e9af5112b4904bae6bfe1343215cf7e957
Instruction ID: 412d3044669f6c66d7fc8b1f1b8a37af7eb38e3644b09279cbd81a06ae69c73d
Opcode Fuzzy Hash: 14d5a4c9f542ab251303b0efb2cab6e9af5112b4904bae6bfe1343215cf7e957
Instruction Fuzzy Hash: 17E01277641008BBDF913F75DD0995E3E656F84350B00E021BD0594061DB79C551FAE6

Function 00F01D2D Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00F0384D

Memory Dump Source

Source File: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0e125f633bac2d36a8f80692af284081d4872fed0cf86624be7be037a99b8e37
Instruction ID: 64713f5b7ba9db2068c447995f1f722639fa3caf884864474aeed9c96b2cc9fc
Opcode Fuzzy Hash: 0e125f633bac2d36a8f80692af284081d4872fed0cf86624be7be037a99b8e37
Instruction Fuzzy Hash: BBD0ECB251C7059FD7956E5884983BAB3D4EF08611F11081DE282C2240D6305440A7A6

Function 00EF9016 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00EF9027

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 880fd6414ad350e8aa3d0ad92327109319eb7e1ce5033e6630e6c9a627db0d61
Instruction ID: 6e7760cc6a06e583615d8e89a147aada3722702c5746d87c67f338e6d6e13546
Opcode Fuzzy Hash: 880fd6414ad350e8aa3d0ad92327109319eb7e1ce5033e6630e6c9a627db0d61
Instruction Fuzzy Hash: 6BD0227124C30829EB14C9701AA1B7E3781CB832A0F202568C482DA2C3C5508C0B8240

Function 00F4AEAC Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00F4AB55,?,?,00F4AB55,00000008), ref: 00F4AEC6

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6c83dd4e4dc0b52adc629d91ba81e06c3a2691b88011d29eea44260e99d9de59
Instruction ID: c70c7a49f706b7cf462bcafe1c9871bc632623f5d1624141da2eb3fe5b86ead0
Opcode Fuzzy Hash: 6c83dd4e4dc0b52adc629d91ba81e06c3a2691b88011d29eea44260e99d9de59
Instruction Fuzzy Hash: F1D01273600305B7CE355A5ADC09F9F7E7CEBC5B91F000121F90290440D766E151D5B5

Function 00F4AF9F Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 00F4B003

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 7f99c1fd629a8e415469ceaf1429f635c75d16c9b3da3370168e042f3434f1d3
Instruction ID: fad06ef1cb0ac09029fc7c24ebc8e3004bfe0c56d837468827e15210e5213d23
Opcode Fuzzy Hash: 7f99c1fd629a8e415469ceaf1429f635c75d16c9b3da3370168e042f3434f1d3
Instruction Fuzzy Hash: 1801D636A0010DBFCF269FA8CC05E9EBF76EF48352F005161A810A5061DB339661EB61

Function 00F4DB22 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00F4ADCE: GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Part of subcall function 00F4ADCE: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

CloseHandle.KERNELBASE(00F4D4E5,-11565FEC,?,?,00F4D4E5,?), ref: 00F4DB60

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CloseCurrentHandleSleepThread
String ID:
API String ID: 4003616898-0
Opcode ID: 75a331417cdf91cefe6ddaa1da1a26aba3dc1a240426df888531d59295b6bf1e
Instruction ID: 3e4d7d7e86dfc11efc78004b29adc813f9a54001d1492205009bc85630e10652
Opcode Fuzzy Hash: 75a331417cdf91cefe6ddaa1da1a26aba3dc1a240426df888531d59295b6bf1e
Instruction Fuzzy Hash: 9CE086A7680009B7CE117B7AEC09D5E3F78DFC0384B011122FE0185116CB39C492F672

Function 00D6E7DD Relevance: 1.3, APIs: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00D6F3AB

Memory Dump Source

Source File: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a6a156c67086271814f05c2ba0b5077140361636a1d7549a1522787721e6ac80
Instruction ID: 07606b23360806b3d734969509060a94a01d2deb4d5752324d31fa6def77075e
Opcode Fuzzy Hash: a6a156c67086271814f05c2ba0b5077140361636a1d7549a1522787721e6ac80
Instruction Fuzzy Hash: 47E065B881CA14DFE700AF29E0413BDBBE0EF89340F118839C6C293A44E63648449BA6

Function 00D6ED83 Relevance: 1.3, APIs: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00D6ED88

Memory Dump Source

Source File: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a68a7156703699d7b8de9d731e49928b30d96ebf10474d80392467ac5d6264f8
Instruction ID: 10703a210361c6fa50de4b8b028ceb2cbac98dd04a5c38c4e586b4382476aec7
Opcode Fuzzy Hash: a68a7156703699d7b8de9d731e49928b30d96ebf10474d80392467ac5d6264f8
Instruction Fuzzy Hash: 25E0C2B584CA49DFC7946F31C44866EBBF0FF45311F120A1CE8E286A90C7729890DB27

Function 00F4CBE7 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00F4AC6D,?,?), ref: 00F4CBED

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 265c7e543947f5ad24f785ccd34414288e39588f412238b4db309bc84108eb25
Instruction ID: 2b62722c0068fdfc8614296e6ee2e1d2579672731227ce63fc307723e185c813
Opcode Fuzzy Hash: 265c7e543947f5ad24f785ccd34414288e39588f412238b4db309bc84108eb25
Instruction Fuzzy Hash: 31B09231001108BBCB42BF52FC0684DBF79FF5A399B009121BD05440318B76E964EBD0

Non-executed Functions

Function 00F4EF1B Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F4ADCE: GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Part of subcall function 00F4ADCE: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

GetSystemTime.KERNEL32(?,-11565FEC), ref: 00F4EF50
GetFileTime.KERNEL32(?,?,?,?,-11565FEC), ref: 00F4EF93

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: Time$CurrentFileSleepSystemThread
String ID:
API String ID: 3818558864-0
Opcode ID: ebe69059c5c04073894a1e95156425323b7e2a411dd84a33c48b08df43692080
Instruction ID: 330512f71769a8c110d16ec7ad3a77568c691e7d2d314c53e11f3330ef06b555
Opcode Fuzzy Hash: ebe69059c5c04073894a1e95156425323b7e2a411dd84a33c48b08df43692080
Instruction Fuzzy Hash: AE01D23224044AFBCF21AF69EC08D9E7F76FFC5321B408221F95185060CB35D8A5EA62

Function 00FFBA62 Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

WO~, xrefs: 00FFBBD3
ga~}, xrefs: 00FFBE05

Memory Dump Source

Source File: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: WO~$ga~}
API String ID: 0-2345489174
Opcode ID: 8e8cb85e33a82513877bbcda27e1f9b19620e48ec68ca246a737257dc06a2912
Instruction ID: e4f1125f0f9d0d36beafabcb83fb265fdda99202f14fe12ca513c6ea25a48882
Opcode Fuzzy Hash: 8e8cb85e33a82513877bbcda27e1f9b19620e48ec68ca246a737257dc06a2912
Instruction Fuzzy Hash: EEB147F3A082049FE7149E2DEC8076BB7E5EF98720F29453DEB84C3754E63A5C048696

Function 00F67319 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

eh}{, xrefs: 00F67423
JfW, xrefs: 00F673B8

Memory Dump Source

Source File: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID: JfW$eh}{
API String ID: 0-450012108
Opcode ID: 1d59578c9e3ad10049c2ecf4a2e8066e7a4466246dec39196c57394b78496f35
Instruction ID: df4da1b66c9cf31374177d6a14b2de0565fa112e41e30141767d5aaba3d6deec
Opcode Fuzzy Hash: 1d59578c9e3ad10049c2ecf4a2e8066e7a4466246dec39196c57394b78496f35
Instruction Fuzzy Hash: AF5109B351C300DFD308BA29DD8673AB7E5EB94324F25852DEAC6C3744E9345841B697

Function 00F4FDD9 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00F4FE20

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: cc6349345cca2603dbed5cbb672d6eef2bfeb6d0258f3524a19b0b84b14d5f99
Instruction ID: e9534304e796da309f167fa230374a04c920722be13aa8f9d3071cff8dd228fa
Opcode Fuzzy Hash: cc6349345cca2603dbed5cbb672d6eef2bfeb6d0258f3524a19b0b84b14d5f99
Instruction Fuzzy Hash: C5F0D43260020AEFCF01CF94D90498D7BB2FF08306B108165FA0596121D7759664EF80

Function 00F2CC5F Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e21dde4fda16286be51b3da654cdebc0faa3cf82a87327b2dd3d8970358e07
Instruction ID: 816e27f49f418b0b20df9a8516a29082086b875b7df0f1fec82e6a8ebf47d09b
Opcode Fuzzy Hash: c1e21dde4fda16286be51b3da654cdebc0faa3cf82a87327b2dd3d8970358e07
Instruction Fuzzy Hash: A64102F350CA20EFD3056A28FC54B7EBBE5EB94310F66493ED2D286704E2354891B6D6

Function 00F92F81 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb944698e825f0ede30189be841013ab8c3ca705cd2f5a629893287b4f64a2a
Instruction ID: 6f939aeb360a09baa81051a9f5bd7939f234593cc553d95456b3115c3f702270
Opcode Fuzzy Hash: 6bb944698e825f0ede30189be841013ab8c3ca705cd2f5a629893287b4f64a2a
Instruction Fuzzy Hash: 6E3178B250C210AFE745AF2DD84166AFBE9EF98710F164D2EEAC5C3210E7319850CB87

Function 00EF6490 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c9bcb7362f8b40ad1e667e04e166fa33ff430bc78da5c0796f92fc0fcce699
Instruction ID: ec4b6d173e46cf9f9e6a1a391e2e1702e8b9262b40b0d3b811ef91cc5fdea539
Opcode Fuzzy Hash: 48c9bcb7362f8b40ad1e667e04e166fa33ff430bc78da5c0796f92fc0fcce699
Instruction Fuzzy Hash: 88116AB300C208DFE300AE25DC809BAB6D6E7C0310F625A2EC782AA748E63154429647

Function 00EF64D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0598c30f2e2b06fd4051332e960f3874d00b155f5767da485b121c97648e2c8
Instruction ID: b0faef7b3700b84fc95457112fc3fe8e90812fd870541c2eca204201a956363e
Opcode Fuzzy Hash: c0598c30f2e2b06fd4051332e960f3874d00b155f5767da485b121c97648e2c8
Instruction Fuzzy Hash: AB119EB300C20CDFE3049E26DCC19BAB6D6E7C0310F665B2EC783A7748E63154429647

Function 00F0B604 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9e9301de91be117effebd8bc9f54d928823e962d35859b8be7ddac0236625b
Instruction ID: 44f8f8eab7aca29578ef0b7a139cf1072ead214ad55ae554e068d9cb817def32
Opcode Fuzzy Hash: 7e9e9301de91be117effebd8bc9f54d928823e962d35859b8be7ddac0236625b
Instruction Fuzzy Hash: 83E086761042019EC7009F64C85599FFBF4FF19321F608445E444C7762C3768D41DB29

Function 00F4E451 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00F4ADCE: GetCurrentThreadId.KERNEL32 ref: 00F4ADDD
Part of subcall function 00F4ADCE: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F4AE20

Part of subcall function 00F4F4CF: IsBadWritePtr.KERNEL32(?,00000004), ref: 00F4F4DD

wsprintfA.USER32 ref: 00F4E497
LoadImageA.USER32(?,?,?,?,?,?), ref: 00F4E55B

Strings

%8x, xrefs: 00F4E492, 00F4E495
%8x, xrefs: 00F4E525, 00F4E558

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: CurrentImageLoadSleepThreadWritewsprintf
String ID: %8x$%8x
API String ID: 2375920415-2046107164
Opcode ID: 8303eae78e156c2c469d980a3ca0d4c6ee3798d9ac578960b67b403135c029cc
Instruction ID: eeec5590349bcf4e304c115c75b7745823638793f86624bd9963d003938e2122
Opcode Fuzzy Hash: 8303eae78e156c2c469d980a3ca0d4c6ee3798d9ac578960b67b403135c029cc
Instruction Fuzzy Hash: 1D31F471A0010AABDF11DFA4DC09FAEBF75FF88310F108126BA11A61A0D7719A61EB61

Function 00F4F022 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00796FAC,00004020,00000000,-11565FEC), ref: 00F4F10F

Strings

@, xrefs: 00F4F04E

Memory Dump Source

Source File: 00000000.00000002.1826074376.0000000000F43000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true

Associated: 00000000.00000002.1825416403.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825433984.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825457696.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825483190.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825512999.0000000000D74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825533967.0000000000D75000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825558167.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825759387.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825789517.0000000000EDC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825829416.0000000000EFD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825881219.0000000000EFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825901048.0000000000F00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825922388.0000000000F09000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825939245.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1825986447.0000000000F1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826021969.0000000000F1B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826056419.0000000000F38000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826095377.0000000000F51000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826114293.0000000000F52000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826130772.0000000000F53000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826146667.0000000000F55000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826164470.0000000000F5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826180321.0000000000F5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826257675.0000000000F69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826276848.0000000000F6C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826294459.0000000000F74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826315044.0000000000F77000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826342158.0000000000F78000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826368365.0000000000F7D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826394344.0000000000F8A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826412293.0000000000F90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826431247.0000000000F9B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826449835.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826467223.0000000000FA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826484884.0000000000FA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826503385.0000000000FAD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826519276.0000000000FAF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826537287.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826552877.0000000000FBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826586113.0000000001002000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826602376.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.0000000001004000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826618675.000000000100C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826656419.000000000101A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1826673335.000000000101C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 741b76d2f96c053c0b1738b8dcfa4e0e5fc3e9c6300c5c416b19eb5ad7292af1
Instruction ID: 26717af9a7f0086a198602e1981cdb05319e91b01e5a343e4f97233a6f5f21a0
Opcode Fuzzy Hash: 741b76d2f96c053c0b1738b8dcfa4e0e5fc3e9c6300c5c416b19eb5ad7292af1
Instruction Fuzzy Hash: 79319E71900705EFCB24CF54D844B8ABFB0FF48310F008529E95A67651C3B9EAA9EF90

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7272, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7272, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 00EF91BA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
fileCOMMON

Function 00F4C4A1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 00F4C9A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 00F4F301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 00F4C774 Relevance: 4.6, APIs: 3, Instructions: 87
COMMON

Function 00F02E8C Relevance: 4.6, APIs: 3, Instructions: 78
registryCOMMON

Function 00EF8E45 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144
fileCOMMON

Function 00EF8FC7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
fileCOMMON

Function 00F4B381 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 00F4CA90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 00F4F51D Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 00F4EE89 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 00F4C8AE Relevance: 3.0, APIs: 2, Instructions: 39
COMMON

Function 00F4ADCE Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON