Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561503
MD5:	00737bada48d092c96d1d6a8829f680f
SHA1:	55dfedce4c520fe53ca2180f848e2089924365fb
SHA256:	d550c57c2b194b654d639537aa23827b98e2f03f0bd58957c7ae1bef570253e9
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 00737BADA48D092C96D1D6A8829F680F)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000005.00000003.1284730596.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB	5_2_00C950FB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00D3203F	5_2_00D3203F
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C27184	5_2_00C27184
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C27159	5_2_00C27159
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00D2C459	5_2_00D2C459
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2F727	5_2_00C2F727
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AADF02	5_2_00AADF02

Source: file.exe, 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000005.00000002.1425596261.0000000000D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2789888 > 1048576

Source: file.exe

Static PE information: Raw size of faexbrgj is bigger than: 0x100000 < 0x2a3200

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 5.2.file.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W;faexbrgj:EW;fsrgkmwp:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2a92d3 should be: 0x2ab73b

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: faexbrgj
Source: file.exe	Static PE information: section name: fsrgkmwp
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AAE631 push ecx; mov dword ptr [esp], 2EDFEAB8h	5_2_00AAF4E6
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push eax; mov dword ptr [esp], edx	5_2_00C2696C
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push edi; mov dword ptr [esp], 15D9BB73h	5_2_00C269B8
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push eax; mov dword ptr [esp], 776FA7D7h	5_2_00C269E1
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push eax; mov dword ptr [esp], edx	5_2_00C26A53
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C2691C push edx; mov dword ptr [esp], esp	5_2_00C26A6D
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C26A8D push ecx; mov dword ptr [esp], 1F9A5B00h	5_2_00C26A9D
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C26A8D push eax; mov dword ptr [esp], 7A7B13FBh	5_2_00C26AD7
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C26A8D push 3DDD64CCh; mov dword ptr [esp], ebx	5_2_00C26B43
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C26A8D push 353378F6h; mov dword ptr [esp], eax	5_2_00C26B92
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AAEBE8 push ecx; mov dword ptr [esp], 3A7030C6h	5_2_00AAEEAF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C33ED5 push 7E89483Ch; mov dword ptr [esp], esi	5_2_00C34323
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C3B0C0 push 698F884Dh; mov dword ptr [esp], ebx	5_2_00C3B735
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00D160C2 push ecx; mov dword ptr [esp], edi	5_2_00D161B8
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AAF0B3 push 2E982ECAh; mov dword ptr [esp], esi	5_2_00AAF78E
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AAD087 push esi; mov dword ptr [esp], 72EF4426h	5_2_00AAD2B5
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push 3867E794h; mov dword ptr [esp], edi	5_2_00C300F9
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push edi; mov dword ptr [esp], 2E662B80h	5_2_00C30253
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push 0612B6FEh; mov dword ptr [esp], eax	5_2_00C302B9
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push 07E9DF3Bh; mov dword ptr [esp], edx	5_2_00C30403
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C300ED push 68901B99h; mov dword ptr [esp], edi	5_2_00C304B3
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB push 52E70452h; mov dword ptr [esp], ebx	5_2_00C95103
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB push eax; mov dword ptr [esp], 55FB5BECh	5_2_00C951EB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB push 34AE4773h; mov dword ptr [esp], esp	5_2_00C951FA
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C950FB push 078B0E8Bh; mov dword ptr [esp], edx	5_2_00C95240
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C270FA push ebp; mov dword ptr [esp], 09600DC2h	5_2_00C27119
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C270FA push 56CAA343h; mov dword ptr [esp], ebp	5_2_00C27140
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00AB10EA push 32AC7660h; mov dword ptr [esp], ecx	5_2_00AB2C22
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C3108C push eax; mov dword ptr [esp], eax	5_2_00C31434
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C3108C push eax; mov dword ptr [esp], eax	5_2_00C314A8
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00C3108C push eax; mov dword ptr [esp], esp	5_2_00C32612

Source: file.exe

Static PE information: section name: entropy: 7.767064817005539

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAE532 second address: AADE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 nop 0x00000008 jl 00007FE7A8F64FACh 0x0000000e push dword ptr [ebp+122D0E85h] 0x00000014 mov dword ptr [ebp+122D1CC3h], eax 0x0000001a pushad 0x0000001b mov si, DC3Eh 0x0000001f mov ecx, dword ptr [ebp+122D3B17h] 0x00000025 popad 0x00000026 call dword ptr [ebp+122D1F5Dh] 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D1D1Fh], ebx 0x00000033 xor eax, eax 0x00000035 add dword ptr [ebp+122D22D5h], ebx 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f jmp 00007FE7A8F64FABh 0x00000044 mov dword ptr [ebp+122D39ABh], eax 0x0000004a cmc 0x0000004b pushad 0x0000004c call 00007FE7A8F64FB0h 0x00000051 mov edi, ecx 0x00000053 pop ebx 0x00000054 mov edi, dword ptr [ebp+122D3D27h] 0x0000005a popad 0x0000005b mov esi, 0000003Ch 0x00000060 or dword ptr [ebp+122D2259h], ebx 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a jl 00007FE7A8F64FA7h 0x00000070 stc 0x00000071 cmc 0x00000072 lodsw 0x00000074 jmp 00007FE7A8F64FAEh 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d jmp 00007FE7A8F64FB2h 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 jbe 00007FE7A8F64FA7h 0x0000008c clc 0x0000008d nop 0x0000008e push ecx 0x0000008f push eax 0x00000090 push edx 0x00000091 jo 00007FE7A8F64FA6h 0x00000097 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C26796 second address: C2679C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2679C second address: C267C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE7A8F64FADh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE7A8F64FB4h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C267C8 second address: C267CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2692B second address: C2692F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2692F second address: C26939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C26D3A second address: C26D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2896B second address: C289F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D3CCFh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FE7A8C37278h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a push EC9EC341h 0x0000002f pushad 0x00000030 jmp 00007FE7A8C3727Dh 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b popad 0x0000003c add dword ptr [esp], 13613D3Fh 0x00000043 mov edx, edi 0x00000045 push 00000003h 0x00000047 push esi 0x00000048 sub dword ptr [ebp+122D221Ch], edx 0x0000004e pop edx 0x0000004f push 00000000h 0x00000051 jo 00007FE7A8C3727Ch 0x00000057 push 00000003h 0x00000059 mov edi, dword ptr [ebp+122D3B83h] 0x0000005f call 00007FE7A8C37279h 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 je 00007FE7A8C37276h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C289F2 second address: C28A16 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE7A8F64FB8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28A16 second address: C28A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37288h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE7A8C37281h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28A47 second address: C28B03 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE7A8F64FB5h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jnc 00007FE7A8F64FBBh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FE7A8F64FAEh 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jmp 00007FE7A8F64FAEh 0x00000025 pop eax 0x00000026 jmp 00007FE7A8F64FAFh 0x0000002b lea ebx, dword ptr [ebp+1244E7E8h] 0x00000031 clc 0x00000032 xchg eax, ebx 0x00000033 jnc 00007FE7A8F64FC6h 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d jmp 00007FE7A8F64FB7h 0x00000042 jg 00007FE7A8F64FA6h 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28B03 second address: C28B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE7A8C37276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28BC8 second address: C28BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28C80 second address: C28C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28C84 second address: C28CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 jmp 00007FE7A8F64FB8h 0x0000000e pop ebx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 jmp 00007FE7A8F64FABh 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28CB9 second address: C28CDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C3727Dh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007FE7A8C3727Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28CDE second address: C28CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28CE4 second address: C28D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jc 00007FE7A8C37284h 0x00000012 pushad 0x00000013 jnc 00007FE7A8C37276h 0x00000019 jc 00007FE7A8C37276h 0x0000001f popad 0x00000020 pop eax 0x00000021 mov dword ptr [ebp+122D1D13h], edx 0x00000027 lea ebx, dword ptr [ebp+1244E7F1h] 0x0000002d sbb si, 2296h 0x00000032 jmp 00007FE7A8C37288h 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28D33 second address: C28D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28D42 second address: C28D52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C3727Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28D9C second address: C28E31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FE7A8F64FB1h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FE7A8F64FAEh 0x00000011 nop 0x00000012 jmp 00007FE7A8F64FADh 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a mov di, F58Dh 0x0000001e pop ecx 0x0000001f push 1DF4CA9Ah 0x00000024 push esi 0x00000025 jmp 00007FE7A8F64FB7h 0x0000002a pop esi 0x0000002b xor dword ptr [esp], 1DF4CA1Ah 0x00000032 jne 00007FE7A8F64FABh 0x00000038 push 00000003h 0x0000003a jno 00007FE7A8F64FA7h 0x00000040 mov dword ptr [ebp+122D21C0h], edi 0x00000046 push 00000000h 0x00000048 mov dword ptr [ebp+122D1CADh], edi 0x0000004e push 00000003h 0x00000050 adc dh, 00000043h 0x00000053 call 00007FE7A8F64FA9h 0x00000058 pushad 0x00000059 push edi 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28E31 second address: C28E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FE7A8C3727Ah 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FE7A8C37283h 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28E59 second address: C28E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007FE7A8F64FA6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jns 00007FE7A8F64FB8h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28E88 second address: C28EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FE7A8C37282h 0x00000010 pop eax 0x00000011 lea ebx, dword ptr [ebp+1244E7FCh] 0x00000017 pushad 0x00000018 mov dword ptr [ebp+122D20A6h], ecx 0x0000001e popad 0x0000001f push eax 0x00000020 push ebx 0x00000021 jl 00007FE7A8C3727Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BC5F second address: C3BC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47EA9 second address: C47EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47EAD second address: C47EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47EBB second address: C47EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47EBF second address: C47EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4804D second address: C48051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48051 second address: C4805D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE7A8F64FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4805D second address: C48078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE7A8C37281h 0x00000009 jnl 00007FE7A8C37276h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4861E second address: C48643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE7A8F64FABh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48643 second address: C48649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48649 second address: C4864D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4864D second address: C48674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE7A8C37276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007FE7A8C37285h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C48674 second address: C486A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FB3h 0x00000009 jmp 00007FE7A8F64FB3h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C486A4 second address: C486AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F222 second address: C3F227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10A76 second address: C10A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10A7A second address: C10A8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10A8D second address: C10A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C49269 second address: C4926D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4926D second address: C49276 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C493D8 second address: C493DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C493DC second address: C493E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4969E second address: C496AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007FE7A8F64FB2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C496AB second address: C496B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4CD6B second address: C4CD9A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE7A8F64FB6h 0x00000008 jmp 00007FE7A8F64FB0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007FE7A8F64FB0h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4CD9A second address: C4CDB4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FE7A8C3727Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4CDB4 second address: C4CE00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8F64FB7h 0x00000008 jmp 00007FE7A8F64FB1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FE7A8F64FB0h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push edi 0x0000001f pop edi 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4CF2D second address: C4CF3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C3727Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55B0A second address: C55B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FE7A8F64FA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55B14 second address: C55B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE7A8C37281h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55B2F second address: C55B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55B33 second address: C55B37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55C9D second address: C55CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FB6h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55E2C second address: C55E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56703 second address: C5674D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 xor dword ptr [esp], 56024F73h 0x0000000e add esi, 2693D876h 0x00000014 call 00007FE7A8F64FA9h 0x00000019 jmp 00007FE7A8F64FB2h 0x0000001e push eax 0x0000001f jns 00007FE7A8F64FACh 0x00000025 mov eax, dword ptr [esp+04h] 0x00000029 push eax 0x0000002a push edx 0x0000002b jng 00007FE7A8F64FA8h 0x00000031 push esi 0x00000032 pop esi 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5674D second address: C56753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56753 second address: C56757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56757 second address: C56795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jmp 00007FE7A8C37288h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56795 second address: C56799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56799 second address: C567B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE7A8C3727Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C567B2 second address: C567B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56BAD second address: C56BBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56C6F second address: C56C81 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FE7A8F64FAEh 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56D9E second address: C56DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C573C6 second address: C573DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FE7A8F64FACh 0x0000000b jnc 00007FE7A8F64FA6h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C573DE second address: C573E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C57846 second address: C5784D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5784D second address: C57853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C57A0A second address: C57A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C57A10 second address: C57A3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C3727Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 mov edi, dword ptr [ebp+122D3CFBh] 0x00000016 pop eax 0x00000017 popad 0x00000018 mov dword ptr [ebp+1245036Bh], edi 0x0000001e push eax 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C57A3C second address: C57A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C57A40 second address: C57A44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5898A second address: C5898F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5898F second address: C58994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58994 second address: C58A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE7A8F64FA6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e jng 00007FE7A8F64FB8h 0x00000014 jmp 00007FE7A8F64FB2h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FE7A8F64FA8h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 mov si, bx 0x00000038 push 00000000h 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c jmp 00007FE7A8F64FB7h 0x00000041 push edx 0x00000042 jmp 00007FE7A8F64FB3h 0x00000047 pop edx 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d jnp 00007FE7A8F64FA6h 0x00000053 jmp 00007FE7A8F64FB6h 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C591D4 second address: C591F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE7A8C37288h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C591F0 second address: C5921B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE7A8F64FB4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5B361 second address: C5B36D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5B36D second address: C5B371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5B371 second address: C5B375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BA29 second address: C5BA2E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5C50C second address: C5C512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5CF84 second address: C5CF88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5CF88 second address: C5CFC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE7A8C37285h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE7A8C37289h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5CFC0 second address: C5CFCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE7A8F64FA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5CFCA second address: C5CFCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5DA17 second address: C5DA1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5DA1D second address: C5DA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5DA21 second address: C5DA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FE7A8F64FB8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5DA47 second address: C5DA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5DA4C second address: C5DA8E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FE7A8F64FA8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 push 00000000h 0x00000025 cld 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+122D221Ch], edx 0x0000002e xchg eax, ebx 0x0000002f jo 00007FE7A8F64FB2h 0x00000035 jl 00007FE7A8F64FACh 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5E4C3 second address: C5E4C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5E235 second address: C5E23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5E4C7 second address: C5E4CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5E4CB second address: C5E4D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C61229 second address: C6122D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6122D second address: C61233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C61A2F second address: C61A4C instructions: 0x00000000 rdtsc 0x00000002 js 00007FE7A8C37276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE7A8C37281h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C61A4C second address: C61A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FE7A8F64FB9h 0x00000013 jmp 00007FE7A8F64FB3h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C638ED second address: C638F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C64AA0 second address: C64AD6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE7A8F64FACh 0x00000008 ja 00007FE7A8F64FA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FE7A8F64FB6h 0x00000019 jmp 00007FE7A8F64FABh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C64AD6 second address: C64ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C64ADC second address: C64AE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C62B3A second address: C62B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63B39 second address: C63B3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63B3F second address: C63B5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C37288h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C62B3E second address: C62BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov di, si 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FE7A8F64FA8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e sub ebx, 3AD8FF37h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov edi, dword ptr [ebp+122D230Fh] 0x00000041 mov eax, dword ptr [ebp+122D0855h] 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007FE7A8F64FA8h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 00000019h 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 push FFFFFFFFh 0x00000063 mov dword ptr [ebp+122D20E7h], ecx 0x00000069 push eax 0x0000006a pushad 0x0000006b pushad 0x0000006c jo 00007FE7A8F64FA6h 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63B5C second address: C63B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C63C2F second address: C63C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c je 00007FE7A8F64FA6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C69015 second address: C6901B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6901B second address: C6908C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007FE7A8F64FB7h 0x0000000e jmp 00007FE7A8F64FB3h 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007FE7A8F64FB0h 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007FE7A8F64FABh 0x00000022 popad 0x00000023 jmp 00007FE7A8F64FB5h 0x00000028 pushad 0x00000029 jp 00007FE7A8F64FA6h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C14010 second address: C14014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C69671 second address: C696EB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE7A8F64FA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FE7A8F64FA8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 pushad 0x00000028 mov edi, dword ptr [ebp+122D3B9Fh] 0x0000002e je 00007FE7A8F64FACh 0x00000034 xor ebx, dword ptr [ebp+12461668h] 0x0000003a popad 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e mov dword ptr [ebp+1245036Bh], eax 0x00000044 pop edi 0x00000045 push 00000000h 0x00000047 pushad 0x00000048 movsx eax, ax 0x0000004b jmp 00007FE7A8F64FB0h 0x00000050 popad 0x00000051 xchg eax, esi 0x00000052 pushad 0x00000053 jne 00007FE7A8F64FACh 0x00000059 pushad 0x0000005a pushad 0x0000005b popad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C696EB second address: C696F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C69863 second address: C6986D instructions: 0x00000000 rdtsc 0x00000002 js 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6B744 second address: C6B748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6B748 second address: C6B774 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE7A8F64FB9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6A8A8 second address: C6A8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 jc 00007FE7A8C37280h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6A8B8 second address: C6A958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FE7A8F64FA8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 sub dword ptr [ebp+12470561h], ebx 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov edi, eax 0x00000031 jnl 00007FE7A8F64FACh 0x00000037 or dword ptr [ebp+122D1FC1h], eax 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 call 00007FE7A8F64FB8h 0x00000049 sub dword ptr [ebp+122D2223h], eax 0x0000004f pop edi 0x00000050 mov eax, dword ptr [ebp+122D0DC9h] 0x00000056 mov bl, ABh 0x00000058 push FFFFFFFFh 0x0000005a mov bl, 71h 0x0000005c nop 0x0000005d jmp 00007FE7A8F64FB4h 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007FE7A8F64FB3h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6C809 second address: C6C80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6C80D second address: C6C81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6D6F0 second address: C6D6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6B967 second address: C6B971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FE7A8F64FA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6B971 second address: C6B97E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E525 second address: C6E52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E52A second address: C6E537 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E537 second address: C6E54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FABh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E54B second address: C6E54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E54F second address: C6E5E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FE7A8F64FA8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 jmp 00007FE7A8F64FB5h 0x00000027 push 00000000h 0x00000029 jmp 00007FE7A8F64FB5h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FE7A8F64FA8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a push ebx 0x0000004b mov dword ptr [ebp+122D1D62h], esi 0x00000051 pop ebx 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FE7A8F64FB2h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E5E3 second address: C6E5E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6E5E9 second address: C6E5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7152D second address: C71532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C71532 second address: C71549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE7A8F64FB3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7067B second address: C70681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C70681 second address: C70685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C72512 second address: C7251B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7251B second address: C72556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+1246169Ah], ecx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FE7A8F64FA8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d mov ebx, dword ptr [ebp+122D3D07h] 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C72556 second address: C7255D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C73632 second address: C736DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007FE7A8F64FBEh 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D5C66h], ecx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov dword ptr [ebp+122D1D18h], edx 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 mov edi, dword ptr [ebp+1245D04Dh] 0x0000002e mov ebx, dword ptr [ebp+122D3AAFh] 0x00000034 mov eax, dword ptr [ebp+122D0DD1h] 0x0000003a mov ebx, dword ptr [ebp+122D3CE7h] 0x00000040 push FFFFFFFFh 0x00000042 push 00000000h 0x00000044 push edi 0x00000045 call 00007FE7A8F64FA8h 0x0000004a pop edi 0x0000004b mov dword ptr [esp+04h], edi 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc edi 0x00000058 push edi 0x00000059 ret 0x0000005a pop edi 0x0000005b ret 0x0000005c jmp 00007FE7A8F64FB5h 0x00000061 nop 0x00000062 jmp 00007FE7A8F64FB7h 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C736DB second address: C736DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C736DF second address: C736FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FE7A8F64FA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7701D second address: C77021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7F009 second address: C7F00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C21811 second address: C2181B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE7A8C3727Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E6DB second address: C7E6E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E6E4 second address: C7E6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E81D second address: C7E83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007FE7A8F64FB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E83A second address: C7E84A instructions: 0x00000000 rdtsc 0x00000002 je 00007FE7A8C37278h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E84A second address: C7E84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E84E second address: C7E852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E9D7 second address: C7E9DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E9DB second address: C7E9E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FE7A8C3727Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7EB41 second address: C7EB4F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7EB4F second address: C7EB6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C37285h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7EB6B second address: C7EB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FE7A8F64FAAh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C94DBE second address: C94DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C94DC6 second address: C94DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE7A8F64FAFh 0x0000000a pop eax 0x0000000b jng 00007FE7A8F64FDDh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C94DE5 second address: C94DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C940E8 second address: C940EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C940EE second address: C940F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C981A4 second address: C981AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5F722 second address: C3F222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FE7A8C37276h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push esi 0x00000012 or dword ptr [ebp+122D2141h], eax 0x00000018 pop edi 0x00000019 call dword ptr [ebp+122D226Dh] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5FD90 second address: C5FDB4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE7A8F64FACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FE7A8F64FACh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5FDB4 second address: C5FDC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37280h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5FDC8 second address: C5FE35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FE7A8F64FB9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FE7A8F64FA8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 xor dx, 00DDh 0x0000002d call 00007FE7A8F64FA9h 0x00000032 pushad 0x00000033 push edi 0x00000034 jmp 00007FE7A8F64FADh 0x00000039 pop edi 0x0000003a push edx 0x0000003b jc 00007FE7A8F64FA6h 0x00000041 pop edx 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push edi 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 pop edi 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5FF6E second address: C5FF72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C60113 second address: C60119 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C60311 second address: C60317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C607F2 second address: C60801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8F64FAAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C60A70 second address: C60B1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C3727Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007FE7A8C37281h 0x00000010 jmp 00007FE7A8C3727Bh 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FE7A8C37278h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 push edi 0x00000031 xor ecx, dword ptr [ebp+122D3C3Fh] 0x00000037 pop edi 0x00000038 lea eax, dword ptr [ebp+124854BEh] 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007FE7A8C37278h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 00000018h 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 jno 00007FE7A8C3727Ch 0x0000005e nop 0x0000005f pushad 0x00000060 jmp 00007FE7A8C37288h 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FE7A8C37280h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C60B1F second address: C3FD62 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jno 00007FE7A8F64FB2h 0x00000012 nop 0x00000013 stc 0x00000014 lea eax, dword ptr [ebp+1248547Ah] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007FE7A8F64FA8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 adc di, 1429h 0x00000039 push eax 0x0000003a jmp 00007FE7A8F64FB0h 0x0000003f mov dword ptr [esp], eax 0x00000042 mov edx, 11E7134Ah 0x00000047 call dword ptr [ebp+122D2F15h] 0x0000004d push edi 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 jo 00007FE7A8F64FA6h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3FD62 second address: C3FD8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37281h 0x00000007 jmp 00007FE7A8C37285h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1C60F second address: C1C64B instructions: 0x00000000 rdtsc 0x00000002 js 00007FE7A8F64FA8h 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007FE7A8F64FB5h 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE7A8F64FB5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1C64B second address: C1C652 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98450 second address: C9845D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9845D second address: C98461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98743 second address: C98747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98747 second address: C9874D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C988C3 second address: C988E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007FE7A8F64FA6h 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007FE7A8F64FA6h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C988E1 second address: C98904 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C3727Dh 0x00000007 jp 00007FE7A8C37276h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007FE7A8C37276h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98A22 second address: C98A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98A28 second address: C98A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE7A8C37289h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98D4E second address: C98D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007FE7A8F64FA6h 0x00000012 popad 0x00000013 jmp 00007FE7A8F64FB9h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98D7D second address: C98D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98ED5 second address: C98EDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1E236 second address: C1E241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE7A8C37276h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1E241 second address: C1E25A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE7A8F64FAFh 0x00000009 jne 00007FE7A8F64FA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1E25A second address: C1E279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37286h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA176C second address: CA1772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1772 second address: CA1776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA1776 second address: CA17A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE7A8F64FAEh 0x0000000c jmp 00007FE7A8F64FAFh 0x00000011 jng 00007FE7A8F64FA6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA17A5 second address: CA17AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA17AB second address: CA17AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA17AF second address: CA17B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA60E7 second address: CA60F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C17620 second address: C1763E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C3727Bh 0x00000007 jmp 00007FE7A8C3727Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1763E second address: C17651 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE7A8F64FAEh 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0EFE5 second address: C0EFE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0EFE9 second address: C0F000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE7A8F64FAFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA330 second address: CAA33A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE7A8C37276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA4DB second address: CAA4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA4DF second address: CAA4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA4E4 second address: CAA4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA4F1 second address: CAA4F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA5FA second address: CAA616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jo 00007FE7A8F64FA6h 0x00000010 pushad 0x00000011 popad 0x00000012 jnl 00007FE7A8F64FA6h 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA8AF second address: CAA8BD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE7A8C37276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA8BD second address: CAA8D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FE7A8F64FB5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA8D8 second address: CAA8EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FE7A8C37276h 0x0000000b jnc 00007FE7A8C37276h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA8EF second address: CAA902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE7A8F64FA6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA902 second address: CAA908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAA908 second address: CAA910 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAAAB1 second address: CAAABD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jp 00007FE7A8C37276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAAC4B second address: CAAC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAAC4F second address: CAAC61 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE7A8C37276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FE7A8C3727Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAB007 second address: CAB03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FAAh 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 jp 00007FE7A8F64FC0h 0x0000001a jmp 00007FE7A8F64FB4h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAB03C second address: CAB057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FE7A8C37281h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAB1B2 second address: CAB1D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FE7A8F64FA8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAB1D7 second address: CAB1DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAB1DD second address: CAB1E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAB38A second address: CAB3A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE7A8C37280h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAE140 second address: CAE152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 jc 00007FE7A8F64FA6h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CADE4B second address: CADE51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CADE51 second address: CADE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0B73 second address: CB0B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0CD8 second address: CB0CE1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0CE1 second address: CB0D03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jmp 00007FE7A8C3727Eh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnp 00007FE7A8C37276h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0E35 second address: CB0E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB0E39 second address: CB0E5B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FE7A8C37286h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB65BC second address: CB65C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB65C1 second address: CB65C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB66E4 second address: CB66E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB6838 second address: CB683E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB683E second address: CB684E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB684E second address: CB6852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB6C70 second address: CB6C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB76E5 second address: CB7704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C37288h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB7704 second address: CB770A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBA882 second address: CBA886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBA886 second address: CBA89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FE7A8F64FA8h 0x0000000e js 00007FE7A8F64FACh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBA01A second address: CBA01F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBA2D5 second address: CBA2D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFD22 second address: CBFD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBF037 second address: CBF061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FAEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE7A8F64FAFh 0x00000011 jns 00007FE7A8F64FA6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBF316 second address: CBF335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8C37289h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBF335 second address: CBF348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE7A8F64FAEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBF348 second address: CBF352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FE7A8C37276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBF352 second address: CBF36E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007FE7A8F64FA6h 0x0000000f jne 00007FE7A8F64FA6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBF36E second address: CBF389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE7A8C37276h 0x0000000a pop esi 0x0000000b ja 00007FE7A8C3727Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBF955 second address: CBF959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC7BD7 second address: CC7BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE7A8C37276h 0x0000000a jnl 00007FE7A8C37276h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC5FB4 second address: CC5FD2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FE7A8F64FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE7A8F64FB0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C17648 second address: C17651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC7071 second address: CC707D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCE822 second address: CCE830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FE7A8C37276h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCFDB9 second address: CCFDBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCFDBD second address: CCFDCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2BDD second address: CD2BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2BF2 second address: CD2C0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FE7A8C3727Eh 0x0000000c jng 00007FE7A8C37276h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2C0C second address: CD2C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2C10 second address: CD2C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2C16 second address: CD2C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE7A8F64FB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2C35 second address: CD2C5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C3727Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE7A8C3727Ah 0x0000000e jmp 00007FE7A8C37281h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2DD2 second address: CD2DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2DD6 second address: CD2DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FE7A8C3728Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FE7A8C37276h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2DEA second address: CD2DF3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD30D0 second address: CD30E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C3727Bh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3220 second address: CD3226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD3226 second address: CD322A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD322A second address: CD3235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD34E2 second address: CD34E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD379E second address: CD37CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push ebx 0x0000000c jmp 00007FE7A8F64FB5h 0x00000011 jbe 00007FE7A8F64FA6h 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDB5D5 second address: CDB5DB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDB5DB second address: CDB5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE7A8F64FABh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDB5F0 second address: CDB5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD970F second address: CD9713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9713 second address: CD972A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE7A8C3727Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9B7B second address: CD9B8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FACh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9B8B second address: CD9B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9E2F second address: CD9E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9E44 second address: CD9E4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9E4A second address: CD9E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9E50 second address: CD9E55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9E55 second address: CD9E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9E63 second address: CD9E88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37288h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jne 00007FE7A8C37276h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9E88 second address: CD9E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE7A8F64FA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD9E97 second address: CD9E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA012 second address: CDA02E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 jmp 00007FE7A8F64FAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA02E second address: CDA03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FE7A8C37276h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA483 second address: CDA487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA487 second address: CDA499 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE7A8C3727Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA499 second address: CDA4A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA4A1 second address: CDA4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDAC08 second address: CDAC22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FB6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3F5B second address: CE3F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3F65 second address: CE3F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3F69 second address: CE3F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE3F6D second address: CE3F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC4E4 second address: CEC4EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEC4EE second address: CEC503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FE7A8F64FAEh 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF2FAB second address: CF2FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF7F58 second address: CF7F6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FE7A8F64FADh 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF7F6F second address: CF7F99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE7A8C3727Bh 0x00000008 jbe 00007FE7A8C37276h 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE7A8C37281h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF7F99 second address: CF7F9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFB877 second address: CFB87D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D087C0 second address: D087DF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE7A8F64FB9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D087DF second address: D087E4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E819 second address: D0E81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E81D second address: D0E849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37287h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FE7A8C3727Ah 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E849 second address: D0E887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FE7A8F64FB3h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jnp 00007FE7A8F64FA6h 0x00000017 pop edx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FE7A8F64FB1h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E887 second address: D0E8A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C3727Bh 0x00000007 jmp 00007FE7A8C37282h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E8A8 second address: D0E8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E8AE second address: D0E8CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37288h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E8CA second address: D0E8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FE7A8F64FA6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EA1E second address: D0EA22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EA22 second address: D0EA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EA2E second address: D0EA34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EA34 second address: D0EA3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EA3A second address: D0EA40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EA40 second address: D0EA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0EA44 second address: D0EA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0FB0D second address: D0FB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12CEF second address: D12CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12CF3 second address: D12D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FE7A8F64FA6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12D01 second address: D12D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12D05 second address: D12D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE7A8F64FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12D11 second address: D12D29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C37282h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12D29 second address: D12D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D127E6 second address: D1280F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FE7A8C37276h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FE7A8C37283h 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1280F second address: D12813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12813 second address: D12850 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FE7A8C37282h 0x0000000e jmp 00007FE7A8C3727Ch 0x00000013 jbe 00007FE7A8C3727Ch 0x00000019 jnc 00007FE7A8C37276h 0x0000001f push eax 0x00000020 push edx 0x00000021 jng 00007FE7A8C37276h 0x00000027 jmp 00007FE7A8C3727Fh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D129DD second address: D12A08 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FE7A8F64FA8h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE7A8F64FB6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1603A second address: D1605A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8C3727Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE7A8C3727Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1605A second address: D1607F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE7A8F64FAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FE7A8F64FA8h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 jng 00007FE7A8F64FA6h 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2EEE3 second address: D2EF00 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE7A8C37276h 0x00000008 jmp 00007FE7A8C37283h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2EAF2 second address: D2EAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D36979 second address: D36997 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE7A8C37288h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D36997 second address: D369A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE7A8F64FA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D369A1 second address: D369A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D369A5 second address: D369CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jno 00007FE7A8F64FA6h 0x00000010 jmp 00007FE7A8F64FADh 0x00000015 jno 00007FE7A8F64FA6h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D369CC second address: D369E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FE7A8C3727Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FE7A8C37276h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3622F second address: D3623D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE7A8F64FA6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3623D second address: D3626B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pushad 0x00000007 jbe 00007FE7A8C3727Ch 0x0000000d jp 00007FE7A8C37278h 0x00000013 push ebx 0x00000014 jmp 00007FE7A8C37280h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D363AB second address: D363CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8F64FB4h 0x00000009 jg 00007FE7A8F64FACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3667B second address: D3668A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8C3727Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3668A second address: D366C0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE7A8F64FB9h 0x00000011 jmp 00007FE7A8F64FB1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39CAC second address: D39CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39CB2 second address: D39CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39CB6 second address: D39CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE7A8C37283h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39CD4 second address: D39CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 ja 00007FE7A8F64FA6h 0x0000000c popad 0x0000000d push ebx 0x0000000e jo 00007FE7A8F64FA6h 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39CF3 second address: D39D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE7A8C37276h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE7A8C37286h 0x00000012 jmp 00007FE7A8C37283h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39D29 second address: D39D33 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3DC32 second address: D3DC38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3DC38 second address: D3DC3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3DC3E second address: D3DC42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D40545 second address: D40549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44032 second address: D44044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE7A8C3727Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44044 second address: D44051 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE7A8F64FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44051 second address: D44057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39867 second address: D3986B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ABB6 second address: D3ABD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE7A8C37286h 0x0000000b popad 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ABD7 second address: D3ABDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ABDD second address: D3ABE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ABE5 second address: D3ABEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ABEE second address: D3ABF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ABF2 second address: D3ABF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ABF6 second address: D3ABFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AADDA6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AADE85 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AAB27A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C5F8A3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CE6B52 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C4B337 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00C2691C rdtsc

5_2_00C2691C

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7304

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00C89F0C GetSystemInfo,VirtualAlloc,

5_2_00C89F0C

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00C2691C rdtsc

5_2_00C2691C

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00AAB7DE LdrInitializeThunk,

5_2_00AAB7DE

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, file.exe, 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmp

Binary or memory string: !NProgram Manager

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561503
Start date and time:	2024-11-23 15:37:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com, time.windows.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.512911276418392
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'789'888 bytes
MD5:	00737bada48d092c96d1d6a8829f680f
SHA1:	55dfedce4c520fe53ca2180f848e2089924365fb
SHA256:	d550c57c2b194b654d639537aa23827b98e2f03f0bd58957c7ae1bef570253e9
SHA512:	ae20be90d29fde0df2a6ff38a4fbd35125b077f4d3f743d3e2403845e2a816cc7035aafa6a849044e5261b09ed87e8a9c12e6068654b473f6466cb8897ca5cd2
SSDEEP:	49152:Kv+OTSKS5EOWbmnE1SLrHTCgEf/QgZpWGMRrKX:NHVObmnE1srHe9LMhK
TLSH:	2FD53962B94962CFD48F27746137CD82A95D43F9872008D7DC2CA9BE7D63CC521BAD28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. .......................@+.......*...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6b0000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FE7A896F01Ah
pshufw mm5, qword ptr [edx], 00h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FE7A8971015h
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	f8400e64472ed813e49655e3469e2517	False	0.9301215277777778	data	7.767064817005539	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
faexbrgj	0xa000	0x2a4000	0x2a3200	f25f4604c3fa89f2c5245d8056dbffa2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fsrgkmwp	0x2ae000	0x2000	0x400	61c0b82eb28e07729e5ac6c1949ba1a3	False	0.8154296875	data	6.350584241124989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2b0000	0x4000	0x2200	5272f4559f4029617bc8ec7ad605e834	False	0.06399356617647059	DOS executable (COM)	0.6773507637832054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	5
Start time:	09:38:08
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xaa0000
File size:	2'789'888 bytes
MD5 hash:	00737BADA48D092C96D1D6A8829F680F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	8.1%
Total number of Nodes:	234
Total number of Limit Nodes:	10

Executed Functions

Function 00C89F0C Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11825FEC), ref: 00C89F18
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00C89F79

Memory Dump Source

Source File: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 7ccaf0e0e04d5f822b109fd50dd9b0d024f810153d70336bc3c52f12f8dc43ac
Instruction ID: dd64953fe734b4f2ecedb909e692acbd7122952671741f58f90c0f059e921145
Opcode Fuzzy Hash: 7ccaf0e0e04d5f822b109fd50dd9b0d024f810153d70336bc3c52f12f8dc43ac
Instruction Fuzzy Hash: 264173B2D00606AFE335DF61C805BA6B7ECFB48741F1141A7B607C94C2E77295D08BA4

Function 00C2691C Relevance: 1.6, APIs: 1, Instructions: 115
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00C2691C

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f9dd45a050807a0c547df93772f0e5b1a741acba39bd8b003b24a1e3f29d924
Instruction ID: 98ddaef5eec8a08443f49e37cc887c9ea12656e310a55909a37b657a3b5995e3
Opcode Fuzzy Hash: 8f9dd45a050807a0c547df93772f0e5b1a741acba39bd8b003b24a1e3f29d924
Instruction Fuzzy Hash: 7E315BF650C210AFE301AF29D88067EFBF9EF94720F16482DE6C4C2650D23549948BA7

Function 00AAB7DE Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

!!iH, xrefs: 00AAB94E

Memory Dump Source

Source File: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID: !!iH
API String ID: 0-3430752988
Opcode ID: ffeda01b9b1bdb47613ca9b54b39c39022ce86a57fb9ebe30e58a5855b1bdb46
Instruction ID: 4893908be335d6d5af64bbcdce6b730f37769bdcee5c65a168958468566fb130
Opcode Fuzzy Hash: ffeda01b9b1bdb47613ca9b54b39c39022ce86a57fb9ebe30e58a5855b1bdb46
Instruction Fuzzy Hash: 68E0C2B22244858ACF17AF24890179E3B1DDF43700F904115FB519BECBCB2D4C1187B6

Function 00C81ACB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 00C81BDC
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00C81BF0

Strings

1002, xrefs: 00C81BA6
.exe, xrefs: 00C81B37
.dll, xrefs: 00C81B13

Memory Dump Source

Source File: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: 35671097b01d7b452b0cccaf2ee059331593ff14f97ad973104148f3e8e02bb0
Instruction ID: 117c644e299e1ce2898c57422f1e0844ebccf7af1168eb5ce44eb243a809bbd1
Opcode Fuzzy Hash: 35671097b01d7b452b0cccaf2ee059331593ff14f97ad973104148f3e8e02bb0
Instruction Fuzzy Hash: 1131ADB1804205EFCF25BF50E905ABD7BB9FF14359F184165FC0256060E7309AA2EB99

Function 00C8A938 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.exe, xrefs: 00C8AA63, 00C8AAA9, 00C8AA74, 00C8AA87
.exe, xrefs: 00C8AA9E

Memory Dump Source

Source File: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID: .exe$.exe
API String ID: 0-1392631246
Opcode ID: a4ea7ccefee7476e854d7feee08c4e4f0c570ae6babd1f70bb0f61e838f9ae4f
Instruction ID: a3efaaeeea05b83515641650a64d739fc28339b94cb3cdae47ca52246c06e7f5
Opcode Fuzzy Hash: a4ea7ccefee7476e854d7feee08c4e4f0c570ae6babd1f70bb0f61e838f9ae4f
Instruction Fuzzy Hash: 1A41D371900205EFFB29EF10DA44BAD77B0FF04318F158056E413AA991C335AE90EF9A

Function 00C33ED5 Relevance: 4.6, APIs: 3, Instructions: 71
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00C33F19
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00C33F40
GetNativeSystemInfo.KERNELBASE(?), ref: 00C33F97

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: aaf50d59ad2368f496187459ee843df69cdfdeabcab0f67ed009ce821043ab81
Instruction ID: 59ef1e037790d5d118fd7fc06c45210eca19157984690b0b5984d4458cb51fd9
Opcode Fuzzy Hash: aaf50d59ad2368f496187459ee843df69cdfdeabcab0f67ed009ce821043ab81
Instruction Fuzzy Hash: 5431F87191424EDFEF21DF90C848BEF3BA5EF08305F500526E98282951EBB65EA4CF59

Function 00C809AB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 00C80A0D

Strings

\\?\, xrefs: 00C80A68

Memory Dump Source

Source File: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: d1692686fe0c260f34d6148e81ed43a0f93b867f1a3fb881523b4647305f7bd2
Instruction ID: eded31a6e6b9ecd8eafe51c5128672285485422f60c125d7ac8c6e0c477e0e3a
Opcode Fuzzy Hash: d1692686fe0c260f34d6148e81ed43a0f93b867f1a3fb881523b4647305f7bd2
Instruction Fuzzy Hash: BF313975A00609BFDF61EF94CD09F9E777AFF44348F100064F911A5060D7329A68EB98

Function 00C28D6C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00C28C77,00000003), ref: 00C28D73

Strings

C, xrefs: 00C28F32

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: 73067c0868b6bd5406daa4a23e2a71fd96122b1f1d744a82c6ce95c05ddfe2b2
Instruction ID: 61f9238fe86a951e9924b7091aac40b0b1b27ef947ef8f347f2d50600472040e
Opcode Fuzzy Hash: 73067c0868b6bd5406daa4a23e2a71fd96122b1f1d744a82c6ce95c05ddfe2b2
Instruction Fuzzy Hash: 0C117AB718A36A6ED7108E15BC11BFE3B68E795320F30411AF50596C86DFA10E0D4625

Function 00C28EE1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00C28EF6

Strings

C, xrefs: 00C28F32

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: ab82ba0997840581405af36259ea5307d51d92120d5efa30f8910263e04c3f60
Instruction ID: 4452104780961b0fd1ad17b07edca3f92472d94d228d9625ab9e58f872f15e7c
Opcode Fuzzy Hash: ab82ba0997840581405af36259ea5307d51d92120d5efa30f8910263e04c3f60
Instruction Fuzzy Hash: 97F08B771892382ED7118A996D117EE7385EB59330F300119F489E3D82D6A81E09563A

Function 00AAE631 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00AAF4D9

Strings

3M_, xrefs: 00AAF61C

Memory Dump Source

Source File: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: 3M_
API String ID: 4275171209-2939996684
Opcode ID: 500f57350c6ede9c80d08564849c3446e797720911ae4851a6649d1d3c792e56
Instruction ID: bc2334d8413611178d3526fa6bd50b2adc196836d08ff2610055c4647e96c691
Opcode Fuzzy Hash: 500f57350c6ede9c80d08564849c3446e797720911ae4851a6649d1d3c792e56
Instruction Fuzzy Hash: 3BF03AB054D341EFD7849F65D4805AFB6F4EF5A720F21892DAAE6872D0D3300C41AB67

Function 00C28C7B Relevance: 1.6, APIs: 1, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00C28C77,00000003), ref: 00C28D73

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4fd28bc2029f913929409dc93a20c7a1bc9c6273efe5786415ffbc58859f34b6
Instruction ID: 39dff99a1198b532748df633712f119f1d9a6f53f642ffb9f1dc48e8f6a683b1
Opcode Fuzzy Hash: 4fd28bc2029f913929409dc93a20c7a1bc9c6273efe5786415ffbc58859f34b6
Instruction Fuzzy Hash: D33181FB14A2667DF201CA457E25EFA6B6DE7D6730F30882AF402D5886DA910E0E2135

Function 00C28C92 Relevance: 1.6, APIs: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00C28C77,00000003), ref: 00C28D73

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b5a5df969a0cd6260336bef0ef337efb3e5eaaa241006d091428eda0cc76653
Instruction ID: 7ac45fd8f67176d4e6e6e09e748e17d86fa65440a14758f16d49140b7116296d
Opcode Fuzzy Hash: 5b5a5df969a0cd6260336bef0ef337efb3e5eaaa241006d091428eda0cc76653
Instruction Fuzzy Hash: 3F31D5FB18A2666DF301CE457E21BFA7B6CE7D2730F30842AF402D5986DA910E0D6135

Function 00C28CB2 Relevance: 1.6, APIs: 1, Instructions: 130
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00C28C77,00000003), ref: 00C28D73

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3e7485170c20b427db7c738e3f4dd70c1d613cb6fff17521de56a60a776529c6
Instruction ID: b8a6603cfae25918b6936c7e03f1872c60aa5afd7701c69120a5d4bcc68d8252
Opcode Fuzzy Hash: 3e7485170c20b427db7c738e3f4dd70c1d613cb6fff17521de56a60a776529c6
Instruction Fuzzy Hash: 0831C7B714A2666DE302CE557E15BBA7B6DE7D2730F30846AF402C6886DA910E0D6235

Function 00C26A8D Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00C26A8D

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5b454a78d22498c2785179c448c26684dd740ae0182a2a92eeec428c79b48e2c
Instruction ID: a4367cc066033592ef11dbe347309727ca0bab1ec4ea233d5b7c0cb8b2a9e613
Opcode Fuzzy Hash: 5b454a78d22498c2785179c448c26684dd740ae0182a2a92eeec428c79b48e2c
Instruction Fuzzy Hash: 90314DB250C314AFE705BF19EC81ABAFBE8EF55721F164D2DE6C483600EA3558448B97

Function 00C28D1B Relevance: 1.6, APIs: 1, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00C28C77,00000003), ref: 00C28D73

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9afff1e003af64f3bd8f5cf1d9d06aca788bea61d266958373905ad6fdbbbe5d
Instruction ID: 9afd13893a5bf4efeae310b5f895b73f4904c18e702a788e235b6d739e25f659
Opcode Fuzzy Hash: 9afff1e003af64f3bd8f5cf1d9d06aca788bea61d266958373905ad6fdbbbe5d
Instruction Fuzzy Hash: B1212BB714926A6DE301CE117D21BBA7B6CF792730F30452BF402CA886DB900E0E5634

Function 00C28D4C Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ef2b5e1ebe662260f2ae56cd6396d90aac51b4f512528bcc990c6d6febf8213c
Instruction ID: e5e99bbea59fb32582c0224333493dc573fcb8984689c46bfbe3c6bc69489976
Opcode Fuzzy Hash: ef2b5e1ebe662260f2ae56cd6396d90aac51b4f512528bcc990c6d6febf8213c
Instruction Fuzzy Hash: 0F01497718936B5DE7118E117D21FBE3B28F7D2720F70442AE502CA8C6DF610E0E5124

Function 00C8A685 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00C8A732

Memory Dump Source

Source File: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: f2a94b94b9a18dfc4cca02e9e418da1e38fb7fb1cc14cc49c896e5179318a484
Instruction ID: 1bc6ef2ac9dcb6be3e62c955e3f671ab7c55e4c25fc18882f244ad03db041847
Opcode Fuzzy Hash: f2a94b94b9a18dfc4cca02e9e418da1e38fb7fb1cc14cc49c896e5179318a484
Instruction Fuzzy Hash: 7C11B272A012259FFB307A458D4CBEA777CEF14758F2040A7F915A7041D7749E80ABAA

Function 04FE0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04FE0DCD

Memory Dump Source

Source File: 00000005.00000002.1427493343.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4fe0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: ccdc7ad418fcedf30902bfc64ec9447fe2acf425c2488406c088e4b9093d9517
Instruction ID: e494f910f1c9f5e964ab14bc2e16d4c89add6c32b1ffcd85a18a52845a8158b3
Opcode Fuzzy Hash: ccdc7ad418fcedf30902bfc64ec9447fe2acf425c2488406c088e4b9093d9517
Instruction Fuzzy Hash: 992129B5C012199FCB20CF9AD884BDEFBF4FB88310F14821AD818AB244DB74A545CFA5

Function 04FE0D41 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04FE0DCD

Memory Dump Source

Source File: 00000005.00000002.1427493343.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4fe0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 5bc561dbb4153614acfffd34840d3a00f193cf7ea221f74e6217bacbf832a6f1
Instruction ID: 8536104ba730f5e38e83182f819e7397aa3d02087a65617f5d294f1ead09b6a2
Opcode Fuzzy Hash: 5bc561dbb4153614acfffd34840d3a00f193cf7ea221f74e6217bacbf832a6f1
Instruction Fuzzy Hash: AF2138B6C002198FDB14CF99D4857DEFBF1FB88310F14822AD908AB244CB74A546CFA4

Function 04FE1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04FE1580

Memory Dump Source

Source File: 00000005.00000002.1427493343.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4fe0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 9fa3bb9b7a60e4bb48bed6c1798a08ac51cf4f1e4bab0e3860f8db30c7585399
Instruction ID: e880317727d255f1050576dba02ef9c8723fc808aeb5e2f3c06a51dce7345ece
Opcode Fuzzy Hash: 9fa3bb9b7a60e4bb48bed6c1798a08ac51cf4f1e4bab0e3860f8db30c7585399
Instruction Fuzzy Hash: AE1117B1D003498FDB20CF9AC584BDEFBF4EB48320F10802AE958A3250D378A545CFA5

Function 04FE1509 Relevance: 1.6, APIs: 1, Instructions: 51serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04FE1580

Memory Dump Source

Source File: 00000005.00000002.1427493343.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4fe0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: c7289bbdc40c678ad8a9cb62d04dd7be4177c2f0e4900ec60c5f856cca053de1
Instruction ID: 3bafb2db54219e7379510dbd7a714cf5ae1434d3458415abaa4f83b2122b69b1
Opcode Fuzzy Hash: c7289bbdc40c678ad8a9cb62d04dd7be4177c2f0e4900ec60c5f856cca053de1
Instruction Fuzzy Hash: 841103B5D003098FDB10CF9AC584BDEFBF0AB48321F10852AD969A3250C778A645CFA5

Function 04FE1301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04FE1367

Memory Dump Source

Source File: 00000005.00000002.1427493343.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4fe0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: d259541534dcf20324d059e73a1a8935adf27779164ecd0901edcaf73af40b37
Instruction ID: c55591597841cb7efed1e6e45e1ebbc223f1779edc44f3fcb59017b2cbc1956b
Opcode Fuzzy Hash: d259541534dcf20324d059e73a1a8935adf27779164ecd0901edcaf73af40b37
Instruction Fuzzy Hash: 461128B1800249CFDB20CFAAD585BEEBBF4EF48320F14842AD558A3250C778A545CFA1

Function 04FE1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04FE1367

Memory Dump Source

Source File: 00000005.00000002.1427493343.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4fe0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 1c5947ae18f8c63a1a306d7773fdbdfcc8fc22d92606c78559c32b99f103e35a
Instruction ID: 81b24e44112e605ebb6bc5508a27403c2b15a38e71dbb2681b70f242f5ee7648
Opcode Fuzzy Hash: 1c5947ae18f8c63a1a306d7773fdbdfcc8fc22d92606c78559c32b99f103e35a
Instruction Fuzzy Hash: A011F5B18003498FDB20DF9AD585BEEBBF4EB48320F14842AD558A3650D778A945CFA5

Function 00C28B33 Relevance: 1.5, APIs: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 00C28B46

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9da4f3fb0daa0e9b791978b88fd508c756a7f3efb7ef87c15042f2e9f2d51b33
Instruction ID: da34564751e4dbdaaae879f64287d98aad47751e87bb230e3124d6d46310a3a1
Opcode Fuzzy Hash: 9da4f3fb0daa0e9b791978b88fd508c756a7f3efb7ef87c15042f2e9f2d51b33
Instruction Fuzzy Hash: ADF062F350E3727EF7125B306D51BBE6BA8DA92310F24859EF44086D86DA540949A226

Function 00C805C9 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 00C8062D

Memory Dump Source

Source File: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 7b2a88d5d3846d2e311eea74f7d56bd91fa5df29aca713758526b0cd1ffe6055
Instruction ID: 6d551dce79257e9fc7ce7b3294447aebf34846bea8fe73e029b7c604fad62d61
Opcode Fuzzy Hash: 7b2a88d5d3846d2e311eea74f7d56bd91fa5df29aca713758526b0cd1ffe6055
Instruction Fuzzy Hash: 3701E835A00909FFCF61AFA5DC05DDEBB76EF84754F104161F806A4060E7328A65DFA8

Function 00C8A2AF Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00C8A2AB,?,?,00C89FB1,?,?,00C89FB1,?,?,00C89FB1), ref: 00C8A2CF

Memory Dump Source

Source File: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7b3080a40b77e33dc9d78838818b2eda2c15e28a716c6ff7cb735357f5c530f8
Instruction ID: db5aeb4243ad999e2827f1cf46ccc386bbcb765926c10e98ac913e1fab8e5ad0
Opcode Fuzzy Hash: 7b3080a40b77e33dc9d78838818b2eda2c15e28a716c6ff7cb735357f5c530f8
Instruction Fuzzy Hash: C9F0A4B1904205EFE724AF44CD04B59BBE4FF89752F21806AF55A9F1A1E3B2D8C0CB94

Function 00AAEBE8 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00AAEBE8

Memory Dump Source

Source File: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6a0becf420e4479771ff8779b04dca66b94b91c74ea34dfd2d72a9b09b6fc9f2
Instruction ID: 7e64e46125be03fb7f14ecf5eae7922d2d88353b55ee6668a152f7cc3d7f2516
Opcode Fuzzy Hash: 6a0becf420e4479771ff8779b04dca66b94b91c74ea34dfd2d72a9b09b6fc9f2
Instruction Fuzzy Hash: 4DE08C7410910EEB8B105F3880188AF7AB4EF4B320F210708B433D3AC0C3328C518A16

Non-executed Functions

Function 00D3203F Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

j{, xrefs: 00D3230E

Memory Dump Source

Source File: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID: j{
API String ID: 0-1251682472
Opcode ID: c1bb822d8a1d0951bf8bc0b7c9bacaa58a056ce58de9baf5e84e28ad1b3044d4
Instruction ID: b167680cd1f26e73293ca806d47e3031a311157cd216fc1cef9713c4b96b55d1
Opcode Fuzzy Hash: c1bb822d8a1d0951bf8bc0b7c9bacaa58a056ce58de9baf5e84e28ad1b3044d4
Instruction Fuzzy Hash: 1FB126F3A082119FE7145E2CEC807ABB7E5EB94320F2A453EEAC4D3744E6754C458796

Function 00AADF02 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

NTDL, xrefs: 00AAE116

Memory Dump Source

Source File: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID: NTDL
API String ID: 0-3662016964
Opcode ID: 2689e83fe43e9f60be2234a7966b9b837886381a8c085b5e79f0702ad4143a11
Instruction ID: 7f0eb37d62ed4348dd8475c8566d5b4a46a3fa9e740aa2c610efae9827dcaa1d
Opcode Fuzzy Hash: 2689e83fe43e9f60be2234a7966b9b837886381a8c085b5e79f0702ad4143a11
Instruction Fuzzy Hash: C271237250821ECFDB05CF25C4412EF77B5EF57320F24822AE98287A82D7B20D55DB99

Function 00C2F727 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

"Be+, xrefs: 00C2F880

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID: "Be+
API String ID: 0-3965159333
Opcode ID: 0e32b7cc0ccada385273afa6c1800c8eeb70e0b90133bdf8be9b2e66658fbdae
Instruction ID: 2c9f5f536b2d469035aad0d1c676f1dfc52d535d19448c2f19096a25341d5583
Opcode Fuzzy Hash: 0e32b7cc0ccada385273afa6c1800c8eeb70e0b90133bdf8be9b2e66658fbdae
Instruction Fuzzy Hash: D551F6B250C228EBE3046E16FC51A3AF7F4EB95B10F25493DD6C346B40E6716816E793

Function 00C950FB Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e383ff2a9404cf7ab6e27162060c4b96b6980e9c31b99a0b7c22c1f1af1654a
Instruction ID: 6dddfea39e7d0ad9fddf3d76ecf5fe42d78b44c5345225420cfdb0d9f63021a7
Opcode Fuzzy Hash: 0e383ff2a9404cf7ab6e27162060c4b96b6980e9c31b99a0b7c22c1f1af1654a
Instruction Fuzzy Hash: 3541F2F680CE10DFDB06AB16DC8967EB3A4EB54320F26462DEAD667740E635280097C3

Function 00D2C459 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5d616a196fa671a6214671abd0b47719c031ce22762224e3b7efd34460393b
Instruction ID: 5455d02e4a8c4f094989a7f7362dafa960e5728b74598dc8f29e178b4eec2479
Opcode Fuzzy Hash: 3c5d616a196fa671a6214671abd0b47719c031ce22762224e3b7efd34460393b
Instruction Fuzzy Hash: 4351AEB201C610EFD3046F28E89167EF7E0EF64718F22582DD6C682214E234EC81EB67

Function 00C27159 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0eb06ed1cb5bc8aa60edccecbb67cc2222837ed9ee92923e930395b0359125
Instruction ID: f9ac2869a7f50359992f4ad64e5ab0f64a7fd80f78a4dec3dc2611e0535a54ee
Opcode Fuzzy Hash: ff0eb06ed1cb5bc8aa60edccecbb67cc2222837ed9ee92923e930395b0359125
Instruction Fuzzy Hash: A74127B201C600EFE7466F15E882ABEFBE5EF94761F120D2DE6C186610E73144858B57

Function 00C27184 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1424807408.0000000000C23000.00000040.00000001.01000000.00000004.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000005.00000002.1422719008.0000000000AA0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423378183.0000000000AA2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423579711.0000000000AA6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1423752398.0000000000AAA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424083452.0000000000AB4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424156688.0000000000AB5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424179470.0000000000AB6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424770264.0000000000C0C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424785992.0000000000C0E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424807408.0000000000C2E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424842328.0000000000C35000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424912204.0000000000C37000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424943829.0000000000C39000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424960674.0000000000C3A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424977447.0000000000C45000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1424993124.0000000000C4A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425013659.0000000000C60000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425082039.0000000000C74000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425102879.0000000000C82000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425124540.0000000000C88000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425145441.0000000000C97000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425170512.0000000000C9D000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425190276.0000000000CAB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425205713.0000000000CAE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425222269.0000000000CAF000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425239162.0000000000CB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425260070.0000000000CBA000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425278000.0000000000CBC000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425300740.0000000000CBD000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425317134.0000000000CC0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425335505.0000000000CC7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425353869.0000000000CCA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425373044.0000000000CD2000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425390716.0000000000CD4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425406829.0000000000CD5000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425424830.0000000000CDE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425452120.0000000000CFE000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425469516.0000000000CFF000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425504394.0000000000D40000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425542250.0000000000D4E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1425559435.0000000000D50000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_aa0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f83a815d54fa00ff356c9db5a52541bff6127eb4582b36121a7877a441314ea
Instruction ID: dadf52cd408621693918ee04f156d3d43c85d2b942b5b5c10cfbf001d2dde24e
Opcode Fuzzy Hash: 7f83a815d54fa00ff356c9db5a52541bff6127eb4582b36121a7877a441314ea
Instruction Fuzzy Hash: 564146B241C604EFE74A6F18D8826BEFBE5EF58361F160D2DE6C186210E3314881CB5B

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 6988, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 6988, Parent PID: 4056COMMON

Execution Graph

Graph

Executed Functions

Function 00C89F0C Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON

Windows Analysis Report
file.exe

Function 00C89F0C Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 00C2691C Relevance: 1.6, APIs: 1, Instructions: 115
libraryCOMMON

Function 00C81ACB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 00C8A938 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Function 00C33ED5 Relevance: 4.6, APIs: 3, Instructions: 71
registryCOMMON

Function 00C809AB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 00C28D6C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
fileCOMMON

Function 00C28EE1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43
fileCOMMON

Function 00AAE631 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27
memoryCOMMON

Function 00C28C7B Relevance: 1.6, APIs: 1, Instructions: 150
fileCOMMON

Function 00C28C92 Relevance: 1.6, APIs: 1, Instructions: 138
fileCOMMON

Function 00C28CB2 Relevance: 1.6, APIs: 1, Instructions: 130
fileCOMMON

Function 00C26A8D Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Function 00C28D1B Relevance: 1.6, APIs: 1, Instructions: 105
fileCOMMON