Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561525
MD5:	0a24c2e5e66d1e2c6b87bf2b0a1c6798
SHA1:	84bb168706262c83de6f7cf3a2ab360cdcb0b573
SHA256:	99d45b95b1e9ec69ff99b0b2a6a52065628a7a4cfb2c9e25c412f11d53895699
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SIDT)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 2804 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0A24C2E5E66D1E2C6B87BF2B0A1C6798)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A4388B CryptVerifySignatureA,

0_2_00A4388B

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2053920630.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F609E	0_2_009F609E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A03223	0_2_00A03223
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A036AE	0_2_00A036AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A036C5	0_2_00A036C5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F6741	0_2_009F6741
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAF8E0	0_2_00AAF8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A03921	0_2_00A03921
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0391C	0_2_00A0391C

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00A3E880 appears 35 times

Source: file.exe, 00000000.00000002.2187817735.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2044218336.0000000000866000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04C515D0 ChangeServiceConfigA,

0_2_04C515D0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2803712 > 1048576

Source: file.exe

Static PE information: Raw size of vbqisocr is bigger than: 0x100000 < 0x2a6800

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.860000.0.unpack :EW;.rsrc:W;.idata :W;vbqisocr:EW;fkbmxbkg:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2b59b2 should be: 0x2b858e

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: vbqisocr
Source: file.exe	Static PE information: section name: fkbmxbkg
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F8CC7 push 071896FDh; mov dword ptr [esp], edi	0_2_009F8CCC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F8CC7 push 4F93A160h; mov dword ptr [esp], edi	0_2_009F8CD5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F609E push ebp; mov dword ptr [esp], 53A327FBh	0_2_009F615C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F609E push ecx; mov dword ptr [esp], 6609363Bh	0_2_009F61AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F609E push 539C1753h; mov dword ptr [esp], ebx	0_2_009F634E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A010B6 push 288AA5BBh; mov dword ptr [esp], ebx	0_2_00A010BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00870762 push 59ED1DCAh; mov dword ptr [esp], edx	0_2_008728DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086C0B3 push 36273F1Fh; mov dword ptr [esp], eax	0_2_0086C009
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FA0A9 push 4E4A5300h; mov dword ptr [esp], eax	0_2_009FA109
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FA0A9 push 53538814h; mov dword ptr [esp], ebp	0_2_009FB675
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008730C2 push eax; mov dword ptr [esp], 7A705E93h	0_2_00874626
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008720EE push ecx; mov dword ptr [esp], edi	0_2_00872105
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FF0EE push edi; mov dword ptr [esp], 7FD5D4C7h	0_2_009FFD19
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FB0E9 push 5E2668C7h; mov dword ptr [esp], edi	0_2_009FB0FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086C001 push 36273F1Fh; mov dword ptr [esp], eax	0_2_0086C009
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A0203D push edx; ret	0_2_00A0204C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00873019 push eax; mov dword ptr [esp], ebp	0_2_00873020
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FB001 push edi; mov dword ptr [esp], 402424D3h	0_2_009FB00F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FF035 push eax; mov dword ptr [esp], edx	0_2_009FF4A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A02012 push edi; ret	0_2_00A02021
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A05014 push eax; mov dword ptr [esp], 6FFBA0A6h	0_2_00A05024
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A05014 push 5253FC00h; mov dword ptr [esp], esi	0_2_00A05030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A05014 push ebp; mov dword ptr [esp], ebx	0_2_00A0505B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A05014 push esi; mov dword ptr [esp], edx	0_2_00A05084
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A05014 push ebx; mov dword ptr [esp], eax	0_2_00A0509C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A01066 push 50A073D7h; mov dword ptr [esp], esp	0_2_00A0106C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7D07D push eax; mov dword ptr [esp], esi	0_2_00A7D0B9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F907D push 63FBA0E1h; mov dword ptr [esp], eax	0_2_009FB09D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FC070 push 46BA7300h; mov dword ptr [esp], ebx	0_2_009FC07F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FC19F push edi; mov dword ptr [esp], 7D1F9764h	0_2_009FC1A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FF19B push edi; mov dword ptr [esp], eax	0_2_009FF1A3

Source: file.exe

Static PE information: section name: entropy: 7.777970352280691

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ED834 second address: 9ED83C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ED83C second address: 9ED84B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ED84B second address: 9ED84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ED84F second address: 9ED85D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ED85D second address: 9ED863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ED863 second address: 9ED867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EC894 second address: 9EC8A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3EA137BD1Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EC8A5 second address: 9EC8C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA0D2C475h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EC8C0 second address: 9EC8C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EC8C8 second address: 9EC8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EC8CC second address: 9EC8D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECA08 second address: 9ECA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECA0E second address: 9ECA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECA12 second address: 9ECA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECA16 second address: 9ECA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECA1E second address: 9ECA2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3EA0D2C46Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECD28 second address: 9ECD47 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3EA137BD18h 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F3EA137BD1Eh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECD47 second address: 9ECD5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3EA0D2C46Bh 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECE9F second address: 9ECEAD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jl 00007F3EA137BD1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECEAD second address: 9ECECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F3EA0D2C477h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECECF second address: 9ECED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ECED4 second address: 9ECEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F3EA0D2C466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EFF4A second address: 9EFF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EFF4E second address: 9EFF58 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EFF58 second address: 9EFF5D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0085 second address: 9F00B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 add dword ptr [esp], 73CF756Bh 0x0000000f jnp 00007F3EA0D2C46Ch 0x00000015 mov edi, dword ptr [ebp+122D2D67h] 0x0000001b lea ebx, dword ptr [ebp+12455E72h] 0x00000021 or ecx, 586DC977h 0x00000027 push eax 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F00B2 second address: 9F00B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F01AE second address: 9F01C3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jnc 00007F3EA0D2C466h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F01C3 second address: 9F01EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jmp 00007F3EA137BD1Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F01EE second address: 9F01F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F01F2 second address: 9F0225 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F3EA137BD27h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0225 second address: 9F0229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0330 second address: 9F038C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jbe 00007F3EA137BD16h 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 jmp 00007F3EA137BD1Ah 0x00000017 mov dword ptr [ebp+122D253Fh], edx 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F3EA137BD18h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 mov cx, BF00h 0x0000003d push 62A464A5h 0x00000042 push eax 0x00000043 push edx 0x00000044 jo 00007F3EA137BD18h 0x0000004a push eax 0x0000004b pop eax 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F038C second address: 9F0392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F0392 second address: 9F03FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 62A46425h 0x0000000f mov cx, B5B1h 0x00000013 push 00000003h 0x00000015 mov ecx, dword ptr [ebp+122D2F37h] 0x0000001b xor esi, dword ptr [ebp+122D254Ah] 0x00000021 push 00000000h 0x00000023 push 00000003h 0x00000025 mov edi, dword ptr [ebp+122D2D33h] 0x0000002b push C88AC8DBh 0x00000030 jno 00007F3EA137BD1Ah 0x00000036 xor dword ptr [esp], 088AC8DBh 0x0000003d lea ebx, dword ptr [ebp+12455E86h] 0x00000043 call 00007F3EA137BD27h 0x00000048 add dword ptr [ebp+122D30A5h], edx 0x0000004e pop edx 0x0000004f xchg eax, ebx 0x00000050 pushad 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10AB4 second address: A10AC8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F3EA0D2C46Ch 0x0000000e jns 00007F3EA0D2C466h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F4E4 second address: A0F4E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F4E8 second address: A0F4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F4F3 second address: A0F4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F4F9 second address: A0F523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3EA0D2C471h 0x00000009 jmp 00007F3EA0D2C470h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F523 second address: A0F527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F527 second address: A0F53B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jp 00007F3EA0D2C46Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F683 second address: A0F698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD21h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F83A second address: A0F877 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA0D2C46Fh 0x00000007 jmp 00007F3EA0D2C476h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F3EA0D2C474h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D85E2 second address: 9D85F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD1Bh 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D85F2 second address: 9D8610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3EA0D2C46Bh 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f je 00007F3EA0D2C466h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A105CD second address: A105D7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12F85 second address: A12F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3EA0D2C466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A16178 second address: A16195 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3EA137BD16h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3EA137BD1Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DD650 second address: 9DD656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DD656 second address: 9DD65C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DD65C second address: 9DD660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B1EC second address: A1B1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3EA137BD16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B1F6 second address: A1B1FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A6AF second address: A1A6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnl 00007F3EA137BD18h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F3EA137BD1Eh 0x00000013 jmp 00007F3EA137BD20h 0x00000018 jc 00007F3EA137BD16h 0x0000001e popad 0x0000001f popad 0x00000020 jnl 00007F3EA137BD43h 0x00000026 push eax 0x00000027 push edx 0x00000028 jnp 00007F3EA137BD16h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A842 second address: A1A848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A848 second address: A1A84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1AB53 second address: A1AB58 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1AB58 second address: A1AB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1B063 second address: A1B07E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F3EA0D2C46Ch 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DF39 second address: A1DF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F3EA137BD16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1E47D second address: A1E481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1E531 second address: A1E535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1E535 second address: A1E543 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1E63A second address: A1E63E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1E63E second address: A1E650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b js 00007F3EA0D2C466h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1EAFD second address: A1EB16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1EE4C second address: A1EE5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3EA0D2C46Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1F0A3 second address: A1F0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1F0AC second address: A1F0B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1F161 second address: A1F167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1F711 second address: A1F71F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22034 second address: A22038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22038 second address: A22051 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3EA0D2C471h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22B27 second address: A22B2D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22B2D second address: A22BDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3EA0D2C473h 0x00000008 jg 00007F3EA0D2C466h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F3EA0D2C468h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D2052h], edx 0x00000034 push edx 0x00000035 js 00007F3EA0D2C469h 0x0000003b mov di, dx 0x0000003e pop esi 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007F3EA0D2C468h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 0000001Ah 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b clc 0x0000005c push 00000000h 0x0000005e jnl 00007F3EA0D2C477h 0x00000064 xchg eax, ebx 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F3EA0D2C478h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24057 second address: A2405C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2405C second address: A240C9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3EA0D2C477h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c add eax, dword ptr [ebp+122D2F2Fh] 0x00000012 sbb edi, 59F8BC75h 0x00000018 popad 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F3EA0D2C468h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 movsx esi, cx 0x00000038 push 00000000h 0x0000003a mov si, dx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F3EA0D2C473h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A240C9 second address: A240D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3EA137BD16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24881 second address: A24890 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A24890 second address: A24895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2A500 second address: A2A544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3EA0D2C477h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F3EA0D2C46Ah 0x00000016 jmp 00007F3EA0D2C476h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2A544 second address: A2A55E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3EA137BD25h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2A55E second address: A2A5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F3EA0D2C468h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 jmp 00007F3EA0D2C472h 0x00000029 push 00000000h 0x0000002b ja 00007F3EA0D2C46Ch 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 jno 00007F3EA0D2C466h 0x0000003b jc 00007F3EA0D2C466h 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B561 second address: A2B5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, 751F11E5h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 mov ebx, edi 0x00000018 pop ebx 0x00000019 call 00007F3EA137BD1Fh 0x0000001e mov ebx, dword ptr [ebp+122D2D83h] 0x00000024 pop ebx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007F3EA137BD18h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 movzx ebx, dx 0x00000044 mov dword ptr [ebp+122D2052h], edx 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d jns 00007F3EA137BD1Ch 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B5CD second address: A2B5F7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3EA0D2C47Fh 0x00000008 jmp 00007F3EA0D2C479h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2C513 second address: A2C519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2C519 second address: A2C51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2C51D second address: A2C533 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F3EA137BD1Eh 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A266CE second address: A266D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A27783 second address: A27787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2862D second address: A286CB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jne 00007F3EA0D2C466h 0x00000011 pop eax 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 cmc 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F3EA0D2C468h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 mov bx, 3FEAh 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F3EA0D2C468h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 0000001Ah 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d mov ebx, dword ptr [ebp+122D2F53h] 0x00000063 mov eax, dword ptr [ebp+122D04ADh] 0x00000069 jl 00007F3EA0D2C469h 0x0000006f movsx edi, ax 0x00000072 push FFFFFFFFh 0x00000074 jmp 00007F3EA0D2C46Dh 0x00000079 add edi, dword ptr [ebp+122D2DD3h] 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 jnl 00007F3EA0D2C466h 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2A7C0 second address: A2A7CA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3EA137BD1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2C70C second address: A2C75A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3EA0D2C477h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F3EA0D2C475h 0x00000019 jmp 00007F3EA0D2C472h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A286CB second address: A286D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E530 second address: A2E546 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA0D2C471h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A286D0 second address: A286D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A286D6 second address: A286DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A30AEE second address: A30B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3EA137BD29h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A30B0C second address: A30B11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32CAA second address: A32CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A32CAE second address: A32CCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F3EA0D2C470h 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A353FD second address: A35403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A36457 second address: A3645D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3645D second address: A364B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+1246014Dh], eax 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F3EA137BD18h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jmp 00007F3EA137BD21h 0x00000032 push 00000000h 0x00000034 and ebx, 3E2D0341h 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push esi 0x0000003e jmp 00007F3EA137BD1Eh 0x00000043 pop esi 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A364B8 second address: A364E3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3EA0D2C46Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F3EA0D2C476h 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A365E9 second address: A365EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A365EF second address: A365F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A376C0 second address: A376C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A376C4 second address: A376C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37774 second address: A3777A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3876B second address: A3876F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3876F second address: A38773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A38773 second address: A3877F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3877F second address: A38785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A38785 second address: A3878A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3AD29 second address: A3AD33 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A48448 second address: A4844E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4844E second address: A48458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3EA137BD16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52B95 second address: A52B9F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52B9F second address: A52BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3EA137BD22h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52CCE second address: A52CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3EA0D2C471h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52D6F second address: A52D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jne 00007F3EA137BD29h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push esi 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52D96 second address: A52DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52DA3 second address: A52DCD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3EA137BD27h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A52DCD second address: A52DD7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57E12 second address: A57E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A570DE second address: A570F3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3EA0D2C46Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A570F3 second address: A57133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3EA137BD1Dh 0x00000009 jc 00007F3EA137BD16h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F3EA137BD1Eh 0x0000001a pushad 0x0000001b popad 0x0000001c jnc 00007F3EA137BD16h 0x00000022 push eax 0x00000023 jmp 00007F3EA137BD22h 0x00000028 pushad 0x00000029 popad 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A576E0 second address: A576F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3EA0D2C472h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A576F6 second address: A57718 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F3EA137BD25h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A57718 second address: A5771E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C375 second address: A5C37F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C37F second address: A5C385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B2AB second address: A5B2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007F3EA137BD1Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1CEF9 second address: A1CF0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3EA0D2C46Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1CF0C second address: A1CF24 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3EA137BD1Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1CF24 second address: A1CF2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1CF2A second address: A1CF2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1CF2E second address: A1CF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3EA0D2C478h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1D18F second address: A1D1C7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3EA137BD29h 0x00000008 jmp 00007F3EA137BD23h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3EA137BD25h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1DAE9 second address: A078DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F3EA0D2C468h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 cld 0x00000023 lea eax, dword ptr [ebp+124826A4h] 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007F3EA0D2C468h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 push eax 0x00000044 jmp 00007F3EA0D2C473h 0x00000049 mov dword ptr [esp], eax 0x0000004c push ebx 0x0000004d jmp 00007F3EA0D2C478h 0x00000052 pop ecx 0x00000053 call dword ptr [ebp+122D1DBEh] 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c jl 00007F3EA0D2C466h 0x00000062 jmp 00007F3EA0D2C478h 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A078DB second address: A078F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3EA137BD29h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5B6E9 second address: A5B708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3EA0D2C479h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BF38 second address: A5BF3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2690 second address: 9E269A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E269A second address: 9E26A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E26A2 second address: 9E26BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3EA0D2C471h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E26BB second address: 9E26C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67CB2 second address: A67CCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA0D2C478h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67CCE second address: A67CE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67CE7 second address: A67CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A69 second address: A66A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A6F second address: A66A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A73 second address: A66A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3EA137BD1Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66D11 second address: A66D1B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3EA0D2C46Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67185 second address: A67189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67189 second address: A6718D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6718D second address: A67199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A667D0 second address: A667D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A667D8 second address: A667DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6743D second address: A67441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67441 second address: A67458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F3EA137BD1Eh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A67458 second address: A6745E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6745E second address: A67470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 jnp 00007F3EA137BD2Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A675AF second address: A675BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3EA0D2C466h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A704B4 second address: A704E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD23h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3EA137BD1Fh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A704E0 second address: A704E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A704E6 second address: A704EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A704EC second address: A704F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6B38 second address: 9D6B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6B3C second address: 9D6B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3EA0D2C466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3EA0D2C472h 0x00000011 jnp 00007F3EA0D2C468h 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6ED39 second address: A6ED3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6ED3F second address: A6ED52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3EA0D2C466h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F3EA0D2C466h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6ED52 second address: A6ED58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6ED58 second address: A6ED5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6EED4 second address: A6EEE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F3EA137BD16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6EEE0 second address: A6EEEE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3EA0D2C468h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6EEEE second address: A6EEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6EEF2 second address: A6EF0E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3EA0D2C466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F3EA0D2C48Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F3EA0D2C466h 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F21A second address: A6F221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F221 second address: A6F22D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3EA0D2C466h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F22D second address: A6F23C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F23C second address: A6F243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F3CD second address: A6F3FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3EA137BD1Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F3EA137BD22h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F3EA137BD16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F3FF second address: A6F40D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F3EA0D2C466h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F40D second address: A6F417 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F831 second address: A6F847 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3EA0D2C46Eh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F847 second address: A6F84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F84D second address: A6F851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F9BF second address: A6F9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F9C3 second address: A6F9CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F9CB second address: A6F9DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72C21 second address: A72C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F3EA0D2C46Fh 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A72C3B second address: A72C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7281D second address: A72824 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75AF2 second address: A75AFC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3EA137BD1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75AFC second address: A75B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3EA0D2C471h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75B17 second address: A75B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75B24 second address: A75B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75516 second address: A75530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3EA137BD16h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3EA137BD1Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A757D8 second address: A75801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3EA0D2C466h 0x0000000a pushad 0x0000000b jmp 00007F3EA0D2C476h 0x00000010 jc 00007F3EA0D2C466h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75801 second address: A75829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jmp 00007F3EA137BD1Ah 0x0000000e jp 00007F3EA137BD16h 0x00000014 pop eax 0x00000015 jmp 00007F3EA137BD1Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7A0FF second address: A7A113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3EA0D2C46Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D6E6 second address: A7D6F8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3EA137BD16h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D148 second address: A7D15F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA0D2C471h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D15F second address: A7D165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81972 second address: A81991 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3EA0D2C466h 0x00000008 jmp 00007F3EA0D2C46Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F3EA0D2C46Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81991 second address: A8199D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8199D second address: A819A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81C91 second address: A81CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jmp 00007F3EA137BD1Eh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007F3EA137BD16h 0x00000015 jo 00007F3EA137BD16h 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81CBB second address: A81CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81F8D second address: A81F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82108 second address: A8210D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A847E9 second address: A8480C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F3EA137BD29h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8480C second address: A84812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A84812 second address: A84845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 ja 00007F3EA137BD47h 0x0000000c pushad 0x0000000d jns 00007F3EA137BD16h 0x00000013 jp 00007F3EA137BD16h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jnl 00007F3EA137BD16h 0x00000024 jmp 00007F3EA137BD1Fh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8D78A second address: A8D7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3EA0D2C466h 0x0000000a pop ecx 0x0000000b jno 00007F3EA0D2C46Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8D7A5 second address: A8D7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B72F second address: A8B73B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F3EA0D2C466h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B73B second address: A8B73F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C001 second address: A8C023 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F3EA0D2C477h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C327 second address: A8C32D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C32D second address: A8C33A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F3EA0D2C472h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C33A second address: A8C340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8D11A second address: A8D15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3EA0D2C479h 0x00000009 popad 0x0000000a jnc 00007F3EA0D2C46Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3EA0D2C471h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8D15B second address: A8D15F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8ED62 second address: A8ED77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3EA0D2C466h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97513 second address: A97519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97519 second address: A9751D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9751D second address: A97526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97526 second address: A97533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3EA0D2C466h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A967E9 second address: A967F3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A967F3 second address: A967FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A967FA second address: A9682B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 js 00007F3EA137BD18h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F3EA137BD27h 0x00000015 push eax 0x00000016 push edx 0x00000017 jo 00007F3EA137BD16h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96956 second address: A96961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96961 second address: A96966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96B14 second address: A96B1E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3EA0D2C466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96E1E second address: A96E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96E24 second address: A96E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97136 second address: A9713B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9713B second address: A97154 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3EA0D2C474h 0x00000008 jmp 00007F3EA0D2C46Eh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9FC5C second address: A9FC61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9FC61 second address: A9FC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3EA0D2C46Dh 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9FC76 second address: A9FC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9DFB3 second address: A9DFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9DFBE second address: A9DFC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E23E second address: A9E242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E931 second address: A9E937 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E937 second address: A9E93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9F1F1 second address: A9F20B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD26h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9F20B second address: A9F22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 js 00007F3EA0D2C466h 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3EA0D2C46Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9F22A second address: A9F249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F3EA137BD25h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9F249 second address: A9F24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9DA3C second address: A9DA4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F3EA137BD16h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9DA4E second address: A9DA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3EA0D2C477h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9DA69 second address: A9DA6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA63A3 second address: AA63A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6585 second address: AA658D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA658D second address: AA6591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6591 second address: AA6597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA80A0 second address: AA80CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA0D2C477h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jl 00007F3EA0D2C495h 0x00000010 pushad 0x00000011 je 00007F3EA0D2C466h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA80CB second address: AA80D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F3EA137BD16h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7EF8 second address: AA7F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7F04 second address: AA7F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jne 00007F3EA137BD16h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f ja 00007F3EA137BD18h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7F1B second address: AA7F26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3EA0D2C466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF4B0 second address: AAF4C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF4C9 second address: AAF4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB6B08 second address: AB6B3B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3EA137BD16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F3EA137BD27h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F3EA137BD1Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAF1D second address: ABAF25 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABE829 second address: ABE842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA137BD1Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABE842 second address: ABE84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC71F0 second address: AC71F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC92F7 second address: AC92FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC92FD second address: AC9326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007F3EA137BD29h 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9326 second address: AC933A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jnp 00007F3EA0D2C478h 0x0000000c js 00007F3EA0D2C472h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD17C7 second address: AD1807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F3EA137BD2Dh 0x0000000d jmp 00007F3EA137BD27h 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007F3EA137BD16h 0x0000001a jmp 00007F3EA137BD24h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD1C59 second address: AD1C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD7176 second address: AD7182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F3EA137BD16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6C7F second address: AD6CA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA0D2C478h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6CA0 second address: AD6CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6DFF second address: AD6E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD6E08 second address: AD6E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA36C second address: ADA370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA370 second address: ADA397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3EA137BD20h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3EA137BD1Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA397 second address: ADA3AF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3EA0D2C466h 0x00000008 jmp 00007F3EA0D2C46Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA3AF second address: ADA3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF03C8 second address: AF03D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F3EA0D2C466h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF03D4 second address: AF041B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3EA137BD1Ch 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3EA137BD26h 0x00000017 jp 00007F3EA137BD2Dh 0x0000001d jmp 00007F3EA137BD21h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF041B second address: AF041F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF041F second address: AF0427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0427 second address: AF042B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF042B second address: AF042F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF0241 second address: AF0269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3EA0D2C46Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3EA0D2C472h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9F2F second address: AF9F35 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9F35 second address: AF9F44 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3EA0D2C46Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9F44 second address: AF9F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9695 second address: AF96A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 js 00007F3EA0D2C466h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9962 second address: AF9967 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9C7B second address: AF9C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9C82 second address: AF9C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9C88 second address: AF9C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9C8E second address: AF9C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFD3EF second address: AFD415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3EA0D2C466h 0x0000000a pop ecx 0x0000000b push edi 0x0000000c jmp 00007F3EA0D2C478h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFD415 second address: AFD42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F3EA137BD1Fh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B05C64 second address: B05C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3EA0D2C466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B05C6E second address: B05C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B057EE second address: B057F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B057F2 second address: B05817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F3EA137BD1Dh 0x0000000c jmp 00007F3EA137BD20h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B05817 second address: B05827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3EA0D2C466h 0x0000000a jns 00007F3EA0D2C466h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B05827 second address: B0582B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFE423 second address: AFE42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFE42F second address: AFE433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFE433 second address: AFE44B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3EA0D2C474h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFE44B second address: AFE453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFE453 second address: AFE457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFD272 second address: AFD285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F3EA137BD1Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFD285 second address: AFD28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFD28A second address: AFD29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3EA137BD1Dh 0x0000000c rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 86DD0C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A3AD8D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: AA9907 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6EE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086E007 rdtsc

0_2_0086E007

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A0205F sidt fword ptr [esp-02h]

0_2_00A0205F

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4352

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086E007 rdtsc

0_2_0086E007

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A01F05 LdrInitializeThunk,

0_2_00A01F05

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: _FhProgram Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00A429CD GetSystemTime,GetFileTime,

0_2_00A429CD

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	271 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Bypass User Account Control	1 Process Injection	NTDS	271 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561525
Start date and time:	2024-11-23 16:28:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.469047630272562
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'803'712 bytes
MD5:	0a24c2e5e66d1e2c6b87bf2b0a1c6798
SHA1:	84bb168706262c83de6f7cf3a2ab360cdcb0b573
SHA256:	99d45b95b1e9ec69ff99b0b2a6a52065628a7a4cfb2c9e25c412f11d53895699
SHA512:	19edf3a436a9e392e302a2a152affdd2156810ce26e247aa8b27314b2afc5b3cba6e5611a2da5b4f144275aeaa987c92186615fc2e17de9ade2fa3f326f9dc77
SSDEEP:	49152:rslMo7AYz59L9zvs+71OOmkVsxrtyqEvyHVTMIGw3p:wlMo7A659L9zvN2c/w3
TLSH:	23D52BB1F60976CBD49B26789427CE82695F43F9471108E3EC6874BABE73CC126B5C24
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+......Y+...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6b4000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F3EA127402Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	0d84dd34394594e8a3045a6928f00515	False	0.9325086805555556	data	7.777970352280691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vbqisocr	0xa000	0x2a8000	0x2a6800	0c124bb97df8d5c89c70003d3d736059	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fkbmxbkg	0x2b2000	0x2000	0x400	9ddf52b528bc30a02d4fa022531b7710	False	0.7802734375	data	6.184280159069747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2b4000	0x4000	0x2200	371fba8f9748738c2cea92a463a21168	False	0.05480238970588235	DOS executable (COM)	0.6140319122512601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	10:28:57
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x860000
File size:	2'803'712 bytes
MD5 hash:	0A24C2E5E66D1E2C6B87BF2B0A1C6798
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	6%
Signature Coverage:	1.2%
Total number of Nodes:	252
Total number of Limit Nodes:	12

Executed Functions

Function 04C515D0 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04C518C8

Memory Dump Source

Source File: 00000000.00000002.2188943801.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c50000_file.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: 78b558b8f576ed2af3ae7efede490ffc4a5f248ff71331ee9c3d33ea7804a416
Instruction ID: a56e839b22fc721e69241aa6c54fe990b57d529bd76c064ee9a3f62c1f9fcf0a
Opcode Fuzzy Hash: 78b558b8f576ed2af3ae7efede490ffc4a5f248ff71331ee9c3d33ea7804a416
Instruction Fuzzy Hash: 50C17C70D002599FDB10CFA9C8897AEBBF2FF45314F188629EC54E7264DB74A981CB85

Function 00A3FF53 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 00A40064
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00A40078

Strings

.exe, xrefs: 00A3FFBF
.dll, xrefs: 00A3FF9B
1002, xrefs: 00A4002E

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: 149ad5914b96a1eb2b9d75d4e90688d25fd491a12f7c4243be29a61fc8451c66
Instruction ID: ddb1a0a78849298c574ad4282f8140daaf65db22a3580c405024aa713e428710
Opcode Fuzzy Hash: 149ad5914b96a1eb2b9d75d4e90688d25fd491a12f7c4243be29a61fc8451c66
Instruction Fuzzy Hash: 05319C36810109EFDF25AF50EA04BAD7F76FF88340F108129F90296461D7719DA0EB91

Function 009F8CC7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009FC818
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 009FC83F
GetNativeSystemInfo.KERNELBASE(?), ref: 009FC896

Strings

ya1t, xrefs: 009FC3D3

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID: ya1t
API String ID: 1247124224-4015203210
Opcode ID: 42a34c6bdc7bb4a452a59386f20c4fdfd8549caccb2765a0dd0a9c8ec99774fb
Instruction ID: 54468f5535e85b571989eac349654c79d8491eb6fdd442e39aed6fa0f789e23c
Opcode Fuzzy Hash: 42a34c6bdc7bb4a452a59386f20c4fdfd8549caccb2765a0dd0a9c8ec99774fb
Instruction Fuzzy Hash: 9A417CB250410EDFDF25DE10C948ABF37A9EF09350F10892AEA8286951DB765CA4DF19

Function 00A40459 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00A403EB,?,00000000,00000000), ref: 00A40516
GetModuleHandleA.KERNEL32(00000000,?,?,?,00A403EB,?,00000000,00000000), ref: 00A40524

Strings

.dll, xrefs: 00A4048C

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: b9c4d7f4b2a3d7fd361779015a8bad9a671e400d0860a2121e0e0e668e07587a
Instruction ID: 9c1b0af76988361f6be9984635674daa681e58e862785196e81a3d4e1294f57c
Opcode Fuzzy Hash: b9c4d7f4b2a3d7fd361779015a8bad9a671e400d0860a2121e0e0e668e07587a
Instruction Fuzzy Hash: 5B11FAB4105609EFEB34AF54C909B9D7AB0FF90745F04C225BA02444E2D7B5AED4EE93

Function 00A42DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00E3A54C,-11A65FEC), ref: 00A42E2C
GetFileAttributesA.KERNEL32(00000000,-11A65FEC), ref: 00A42E3A

Strings

@, xrefs: 00A42DDF

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: a79cd1bb3ec872b1b0d752c9466a7b9b937f3e891b4edd73b0e13f02e6661bfe
Instruction ID: 93d5916de2f70648602e41ffcf2b92a74bcae2e5c047c74491da9bfc06ebc1c9
Opcode Fuzzy Hash: a79cd1bb3ec872b1b0d752c9466a7b9b937f3e891b4edd73b0e13f02e6661bfe
Instruction Fuzzy Hash: C6013C34904608FAEB21DF54C90A7ADBE71AF80344F608065F502690E1D7B4AAD5EB80

Function 009FC7C7 Relevance: 4.6, APIs: 3, Instructions: 62
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009FC818
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 009FC83F
GetNativeSystemInfo.KERNELBASE(?), ref: 009FC896

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: 0adba6ff9cdb4e582aa4ee3d04b9ff539d5004a47f10b99e098940f27b702dfa
Instruction ID: f261d14ae57f3586b52df20ce743fdc58186a9b100b0e1068da71a5b1c9e5404
Opcode Fuzzy Hash: 0adba6ff9cdb4e582aa4ee3d04b9ff539d5004a47f10b99e098940f27b702dfa
Instruction Fuzzy Hash: 7221397151010E9FEF21DF60CA487EF37A8EF0A350F008916EA8181952D7769CB4DF58

Function 00A3EE33 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 00A3EE95

Strings

\\?\, xrefs: 00A3EEF0

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: e353bc17e1bdd58b1aa2a4a2032e57da8d637ab152b960b01ae03d9e264cf482
Instruction ID: 15c8559579864380f9c1735bf996828fb362f0408eb8c6c0fa6a9e90f38dacfd
Opcode Fuzzy Hash: e353bc17e1bdd58b1aa2a4a2032e57da8d637ab152b960b01ae03d9e264cf482
Instruction Fuzzy Hash: 3A310636A0020ABFDF21DF94CD09B9EBBB6FF04749F000165F901A50A0E7B29AA5DB51

Function 00A40542 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A3E880: GetCurrentThreadId.KERNEL32 ref: 00A3E88F
Part of subcall function 00A3E880: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00A3E8D2

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00A405A6

Strings

.dll, xrefs: 00A40563

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CurrentHandleModuleSleepThread
String ID: .dll
API String ID: 683542999-2738580789
Opcode ID: 1af393d0502de4ebf86174fc85d0fe46740f818e7e25eb516a975a7ba4e8b5b1
Instruction ID: 6f2c23e8283bd7b74efa2a7397314e1d66048911da8b72c414334753578a30d2
Opcode Fuzzy Hash: 1af393d0502de4ebf86174fc85d0fe46740f818e7e25eb516a975a7ba4e8b5b1
Instruction Fuzzy Hash: 94F0F9B6100205ABDF50EF64D945B697BB4FF98350F108411FE0689092D771D960AE12

Function 00A42FCF Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00E3A54C,?,?,-11A65FEC,?,?,?,-11A65FEC,?), ref: 00A43081

Part of subcall function 00A42F81: IsBadWritePtr.KERNEL32(?,00000004), ref: 00A42F8F

CreateFileA.KERNEL32(?,?,?,-11A65FEC,?,?,?,-11A65FEC,?), ref: 00A430A1

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: 9fa878208eb6e81202d46ecb96bdc6ef3421241e4ccfcb3ea910c72edd6d475d
Instruction ID: ebe54bf41026abcf84c0a018293c75ac9a2f4065e17c0cb316ecc89f1c947776
Opcode Fuzzy Hash: 9fa878208eb6e81202d46ecb96bdc6ef3421241e4ccfcb3ea910c72edd6d475d
Instruction Fuzzy Hash: 4411073610514AFBDF22AF94DE09BAE7E72BF94344F104215FA02640A1C7B68AB5FB51

Function 00A4293B Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A3E880: GetCurrentThreadId.KERNEL32 ref: 00A3E88F
Part of subcall function 00A3E880: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00A3E8D2

GetCurrentProcess.KERNEL32(-11A65FEC), ref: 00A42948
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A429AE

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessSleepThread
String ID:
API String ID: 2846201637-0
Opcode ID: d6ddc5fc9f6699fb36410dddd240c3c70bf80b69b9c23785e3b5d5de5d899ccb
Instruction ID: 5c2f891efd8525855c393d2a1d84049dce8dcd014e364c2d0cdbc4ddb50f6374
Opcode Fuzzy Hash: d6ddc5fc9f6699fb36410dddd240c3c70bf80b69b9c23785e3b5d5de5d899ccb
Instruction Fuzzy Hash: DA01463610014AFB8F12AFA4DD49E9E7F79FF88350F004521F90690061D771D0A2EB21

Function 00A3E880 Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00A3E88F
Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00A3E8D2

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: d7bf324cc4d9dcbfd062ecc2019a4b057462a0544b75e0f71c8f02669db8b46f
Instruction ID: 0122fac3afeb66ebda215e295c18a2ee0ac20f4dc1b6ebb658cc80c2dc26f5a8
Opcode Fuzzy Hash: d7bf324cc4d9dcbfd062ecc2019a4b057462a0544b75e0f71c8f02669db8b46f
Instruction Fuzzy Hash: 77F09032901209EFDB21CF94C84476EB7B4EF41319F600139F10291481DBB02D85D781

Function 04C515C4 Relevance: 1.8, APIs: 1, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04C518C8

Memory Dump Source

Source File: 00000000.00000002.2188943801.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c50000_file.jbxd

Similarity

API ID: ChangeConfigService
String ID:
API String ID: 3849694230-0
Opcode ID: 16de1a06711580ca40e97fdb37b3e243144144e9f8918ff1a5790ad7b8145623
Instruction ID: 56dd1293e9d16d7c6a4a1c23791aa5fe3ddcc93962a20d0d65dd1d2ddb37bbf1
Opcode Fuzzy Hash: 16de1a06711580ca40e97fdb37b3e243144144e9f8918ff1a5790ad7b8145623
Instruction Fuzzy Hash: A4C16D70D006599FEB10CFA8C8497ADBBF2FF45314F188529EC54E7264DB74A981CB85

Function 00A40FBA Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00A4106F

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1961be8daa4406fc3bf1689a9540453874eb730857a2e06c6ed4f8dfcab6dcf9
Instruction ID: 2c300530802ec0e5fe5205b14c4296d785cc483f0518ea633f9b29db160b69c5
Opcode Fuzzy Hash: 1961be8daa4406fc3bf1689a9540453874eb730857a2e06c6ed4f8dfcab6dcf9
Instruction Fuzzy Hash: C3318D75A00209BFEB209F65DC45F9DBBB8EB84714F20822AF505AA1D1D7B29A91DB10

Function 00A407D6 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00A40858

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f48c53bdc80ce0b87c82bcb09d0d5642cc3b53de919954e8466fac5361613c71
Instruction ID: d1bc4cfe7555f82c4cb13e5aa18bbd3dbff36bb1487554045f21008e6dccc700
Opcode Fuzzy Hash: f48c53bdc80ce0b87c82bcb09d0d5642cc3b53de919954e8466fac5361613c71
Instruction Fuzzy Hash: 3631C375A00204BEEB209F64DD45F99BBB8EF80724F208365F712EE0D1D3B1A952DB94

Function 04C50D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04C50DCD

Memory Dump Source

Source File: 00000000.00000002.2188943801.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c50000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 097dcca0657b66a82e9f7177732e0c9ebe551d63332186ca1c406011455e8cfb
Instruction ID: 54d5133a8bc31a3d9ae7c2162876eb593d05703cb47fb0de9f170da09ce75326
Opcode Fuzzy Hash: 097dcca0657b66a82e9f7177732e0c9ebe551d63332186ca1c406011455e8cfb
Instruction Fuzzy Hash: 762144B6C002089FCB50CF9AD885ADEFBF5FF88310F14821AD808AB204C734A640CBA4

Function 04C50D41 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04C50DCD

Memory Dump Source

Source File: 00000000.00000002.2188943801.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c50000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 0473f8d3ac451cfe08db9c00e75f062daec90d3a2d6190d90cc9dcfd9441f7a6
Instruction ID: ecf41da300ae27d76b41b977cbbc6fb01b7f268dbfb336c48e781903ea0534bb
Opcode Fuzzy Hash: 0473f8d3ac451cfe08db9c00e75f062daec90d3a2d6190d90cc9dcfd9441f7a6
Instruction Fuzzy Hash: C22137B6D002098FDB40CF99D485ADEFBF1EB88310F14855AD908EB254C738A641CBA4

Function 04C51510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04C51580

Memory Dump Source

Source File: 00000000.00000002.2188943801.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c50000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: fe9886faa16e5490baf9099d1d04ddde9899c2b9cdc15691fff45b8adc87152d
Instruction ID: a149ff2de067034991172f0b3f700a9a5b846798aab3008d520b63a8a88fc930
Opcode Fuzzy Hash: fe9886faa16e5490baf9099d1d04ddde9899c2b9cdc15691fff45b8adc87152d
Instruction Fuzzy Hash: 9711E4B1D002499FDB10DF9AC584BDEFBF4EB49320F54802AE959A3250D778A644CFA5

Function 04C51509 Relevance: 1.6, APIs: 1, Instructions: 51serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04C51580

Memory Dump Source

Source File: 00000000.00000002.2188943801.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c50000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 3a6ec046417acf1ed765b3c1e6a88834007c8a54a14ccade171a48d1e9dd239b
Instruction ID: ad7aadb26c39e5fc62e8d2afa587e45eee3d048faff6c83cc6c51b9eaa0846e0
Opcode Fuzzy Hash: 3a6ec046417acf1ed765b3c1e6a88834007c8a54a14ccade171a48d1e9dd239b
Instruction Fuzzy Hash: A92114B5D00249CFDB10CF9AC544BDEFBF5EB48310F14802AD958A3250C778A644CFA5

Function 00A43B07 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3E880: GetCurrentThreadId.KERNEL32 ref: 00A3E88F
Part of subcall function 00A3E880: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00A3E8D2

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11A65FEC), ref: 00A43B8E

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CurrentFileSleepThreadView
String ID:
API String ID: 2270672837-0
Opcode ID: 58cd0f554f395332f02efb05bbec72beb1cf71db352b17b66e7adf04c1c6fd78
Instruction ID: 04d77fbe673b7a3d920e848ba80a8e0518ae1b52d65d40f7f89e40247a4012af
Opcode Fuzzy Hash: 58cd0f554f395332f02efb05bbec72beb1cf71db352b17b66e7adf04c1c6fd78
Instruction Fuzzy Hash: 4111E23710014AFFCF12AFA4DE09E9A3B66EF98380B004525FA0255061D77696B2EB61

Function 04C51301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04C51367

Memory Dump Source

Source File: 00000000.00000002.2188943801.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c50000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: cabe513a220e689c6d556ef76771b1d7aa5ddd1b5ca081e5c1f39874de86073f
Instruction ID: 4d9676a21531e8fb9009d0f989282bb5d54d7120eb2c746169cbd48a7e99e2f4
Opcode Fuzzy Hash: cabe513a220e689c6d556ef76771b1d7aa5ddd1b5ca081e5c1f39874de86073f
Instruction Fuzzy Hash: 3B1166B1800249CFDB10CFAAC585BEEFBF4EF49320F14846AD528A3250D778A581CFA5

Function 00A438EF Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: a2878cb4ce5608ae1ed73aa4f96851f8af042ca66ccecdd1e9621f0a59880886
Instruction ID: cb62d7861dd022e5f4f6e2988625f7d1f3500ca5759e76168a775dfbc1877eef
Opcode Fuzzy Hash: a2878cb4ce5608ae1ed73aa4f96851f8af042ca66ccecdd1e9621f0a59880886
Instruction Fuzzy Hash: E3116D3B10024AEBCF12AFA4CA19FAE7BB5FF84345F108410F912560A2C7B5CA61EB50

Function 04C51308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04C51367

Memory Dump Source

Source File: 00000000.00000002.2188943801.0000000004C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c50000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: b5771a1c732fd6c84658c8b2b0f0e3e6aeefa7a4981ca8db2020cfb342aca8e7
Instruction ID: b85c4c525522bb1e2a75bfacc4aaeeec582ccdfb1d5cf62d9b057d414c4ad179
Opcode Fuzzy Hash: b5771a1c732fd6c84658c8b2b0f0e3e6aeefa7a4981ca8db2020cfb342aca8e7
Instruction Fuzzy Hash: 481106B1800249CFDB10DF9AC545BDEFBF8EF49320F14846AD558A3650D778A584CFA5

Function 00A431D3 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3E880: GetCurrentThreadId.KERNEL32 ref: 00A3E88F
Part of subcall function 00A3E880: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00A3E8D2

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11A65FEC,?,?,00A40F02,?,?,00000400,?,00000000,?,00000000), ref: 00A4323F

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CurrentFileReadSleepThread
String ID:
API String ID: 1253362762-0
Opcode ID: 8ef87873bc6067b4607d2fe13a0ea4fdd85b14200c2d6e4176345a0b04f0f726
Instruction ID: 455386e0095261ce5374528d2c5e745861b9d526da7228dec1551d8c5e2dc070
Opcode Fuzzy Hash: 8ef87873bc6067b4607d2fe13a0ea4fdd85b14200c2d6e4176345a0b04f0f726
Instruction Fuzzy Hash: 32F0C937100149FBDF12AF95DD09E9A3F76FFA9740F008521FA0149061D772D5A1EB61

Function 00A401B6 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00A3F96C,00A3F96C), ref: 00A40201

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4defd7698b9eef1f6e73d02fbe1de185bcc538389be1f76d4fd29e224f60e356
Instruction ID: 0ab0534c7ec7bc6e003c130acc5d2d5404c90c9cbae05625e85d6023349ca856
Opcode Fuzzy Hash: 4defd7698b9eef1f6e73d02fbe1de185bcc538389be1f76d4fd29e224f60e356
Instruction Fuzzy Hash: 31E06D35540109AACF013B79CA09E8E7E66AEE0340F008232BE02980A6EB34C862F620

Function 00A3EA51 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 00A3EAB5

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 7127575fc6c6319c90395e427e2f30c60223fef1b73c430044f0a411bae471ec
Instruction ID: ce1e34555eb57c4139a4cd478ab7e4fe83c9b863c5d7359222a2bbc301a18598
Opcode Fuzzy Hash: 7127575fc6c6319c90395e427e2f30c60223fef1b73c430044f0a411bae471ec
Instruction Fuzzy Hash: A4019636A00509BFCF21DFA5DC05EDEBF76FF48781F004565B402A44A1E7729661EB64

Function 00A415D4 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00A3E880: GetCurrentThreadId.KERNEL32 ref: 00A3E88F
Part of subcall function 00A3E880: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00A3E8D2

CloseHandle.KERNELBASE(00A40F97,-11A65FEC,?,?,00A40F97,?), ref: 00A41612

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CloseCurrentHandleSleepThread
String ID:
API String ID: 4003616898-0
Opcode ID: cc1b2c822dbdfdc5f4717b8748f24e5ec8cb534237eddc4417f719a862d2da0e
Instruction ID: d37f940cfae2437c230dde50b8c49e854b276e56d0fd81cefc0832f080b6dafa
Opcode Fuzzy Hash: cc1b2c822dbdfdc5f4717b8748f24e5ec8cb534237eddc4417f719a862d2da0e
Instruction Fuzzy Hash: 64E04F76204105E6DE10BB79DA09F4EAEA8EFD0780F024532F50785491EB65E592D661

Function 00A40699 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00A3E71F,?,?), ref: 00A4069F

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: eb85472ca837eb5baf34e5796c8a60973784075c62659ef3474dcfb4b16ca3c9
Instruction ID: 80a49541cac7fe3155b3afd1033cc7c39c873af5a8175c5ef7b991f74de2e30c
Opcode Fuzzy Hash: eb85472ca837eb5baf34e5796c8a60973784075c62659ef3474dcfb4b16ca3c9
Instruction Fuzzy Hash: CBB09231000119BBCF01BF51DD06C4EFF69FF95799B518121BA07444619BB6E970AB90

Non-executed Functions

Function 00A429CD Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A3E880: GetCurrentThreadId.KERNEL32 ref: 00A3E88F
Part of subcall function 00A3E880: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00A3E8D2

GetSystemTime.KERNEL32(?,-11A65FEC), ref: 00A42A02
GetFileTime.KERNEL32(?,?,?,?,-11A65FEC), ref: 00A42A45

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: Time$CurrentFileSleepSystemThread
String ID:
API String ID: 3818558864-0
Opcode ID: 60b964c9c825ec3155f3c7c3039c4d6d05ba2c9046b9073fc9e75a0a7000c575
Instruction ID: 999b56d42621026559a94f0be5f50cfeb883ef80e802e1c6d23a7d91ae717aae
Opcode Fuzzy Hash: 60b964c9c825ec3155f3c7c3039c4d6d05ba2c9046b9073fc9e75a0a7000c575
Instruction Fuzzy Hash: 5501D23620418AFBCF21AF59E90DE9A7F75FFC5791B404121F802854A0DB71E9A2EB61

Function 00A4388B Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00A438D2

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: 5f8eb33d69dfa695b72a2fca1f08afa79e7bd8303f91faf9e24b560897cda0a7
Instruction ID: 74e71b6393914762c92384fed6e39b7995ad5c6f310de23ef7e005020914058e
Opcode Fuzzy Hash: 5f8eb33d69dfa695b72a2fca1f08afa79e7bd8303f91faf9e24b560897cda0a7
Instruction Fuzzy Hash: F1F0F83760124AEFCF01CFA4C94498D7BB2FF44344B108529F90696261D376D660EF40

Function 00AAF8E0 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

c&c?, xrefs: 00AAF806

Memory Dump Source

Source File: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID: c&c?
API String ID: 0-3433146618
Opcode ID: 88128ca5909ae20a51c0dda4eecee336f9ab921d0267b780b1bfd5e44b32f873
Instruction ID: 168ae888a545f9724897ea7be390563a499f21d42a0a49d12cb5675821497508
Opcode Fuzzy Hash: 88128ca5909ae20a51c0dda4eecee336f9ab921d0267b780b1bfd5e44b32f873
Instruction Fuzzy Hash: 6B41BFB250C200EFE308AE59DC8173AB7F5EB99710F25483DE6C6C3394E73558509A87

Function 00A03223 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3a5f988fd41932772787a78c265135763ac300ff6c93538350615054d3d02d
Instruction ID: c189e8cc704780e19f17a0d39fb475da1e01cd1889b4fd1d2a12ccab5d5b0db8
Opcode Fuzzy Hash: 3d3a5f988fd41932772787a78c265135763ac300ff6c93538350615054d3d02d
Instruction Fuzzy Hash: 1D61E0B240C3519FD7029F6898916AAFBF4FF16310F0688AEE9C5CB252E3344814CB63

Function 009F609E Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f21adf44e9a46deac4e536eeecc8ae46fd928cab13c533af028ef6bb89c052
Instruction ID: b9a0b66deaf7d46cf3d9567339f8c3e6fcf0da6a1dab17aa775291f9171d7ba4
Opcode Fuzzy Hash: 82f21adf44e9a46deac4e536eeecc8ae46fd928cab13c533af028ef6bb89c052
Instruction Fuzzy Hash: FC41D6F3A0C308DFD3006A29ED9163ABBE5AB14350F360D3EE786C7201EA395855A757

Function 00A03921 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8e05205d1f6c05032e0b975bc5558c6eedd92f81074f3d3b83bc3a133f06ea
Instruction ID: 085d96012002b1ae93db877351ccf00150fbe77d1f0a3b8c46e5127ddad7c6fd
Opcode Fuzzy Hash: eb8e05205d1f6c05032e0b975bc5558c6eedd92f81074f3d3b83bc3a133f06ea
Instruction Fuzzy Hash: B741D3B290C6009FE71ABF69D84267EFBE1FF98710F16482DE6C586220E7355490CB97

Function 0086E007 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f2775ad733b7e7c800c8e95a7a9bbd2765f9342f9e4ab6889947cad4c80200
Instruction ID: 32cfdac2dfc279e1b609aa48213e63db4d025ad2ddaef48e5767bbf0a07ccd64
Opcode Fuzzy Hash: 38f2775ad733b7e7c800c8e95a7a9bbd2765f9342f9e4ab6889947cad4c80200
Instruction Fuzzy Hash: C2316ABA00410EDECB09DF54C6554EF7B60FB47332F26442AE842C7543D2B11D11BB5A

Function 00A036AE Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946a716a17c6805fb0e946b3238cbaf2570cf65a1d23cbbf4ee0b9e4d69b7b99
Instruction ID: 35df728204d05cb6960fcddff9e14a8be1ebb9aa7ef5ed5478378111492d4b07
Opcode Fuzzy Hash: 946a716a17c6805fb0e946b3238cbaf2570cf65a1d23cbbf4ee0b9e4d69b7b99
Instruction Fuzzy Hash: ED314DF260C600AFE705AF29DC85A6EFBE5EF99360F16092DE6C4D3710D33154518A57

Function 00A036C5 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097abda890f6a6cbb57fde59906503897b15f4554e091e7dd10a6910d6db8ee9
Instruction ID: a423102c08b6bc805de493ded898fcc97adc2944e2a52f4d1002fb9f8342172f
Opcode Fuzzy Hash: 097abda890f6a6cbb57fde59906503897b15f4554e091e7dd10a6910d6db8ee9
Instruction Fuzzy Hash: 1E314DB260C600AFE305AF2AD88566EFBE5FF98320F16092DE6C5C3710D33154518A93

Function 009F6741 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159bcd179439b21ce358e55c940aa16e6be1d38786ebbe5c5cf6add4c0494cfc
Instruction ID: c3666439fc0be95258d7ba26025263a596c3f647e19cf0898b0a1cfdf36cb63c
Opcode Fuzzy Hash: 159bcd179439b21ce358e55c940aa16e6be1d38786ebbe5c5cf6add4c0494cfc
Instruction Fuzzy Hash: E83124B250C704AFE70ABF68D88267EFBE4FF58350F12492DE6D582610E6355890CA87

Function 00A0391C Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d182c9779935aa45843794a5de5e691cc7cf775198b56941ab8cc579237bb53
Instruction ID: 9fa2be753e3ce2d6cee5ec538b82b77d93ceefedba72f8835266a28ffdfa3914
Opcode Fuzzy Hash: 5d182c9779935aa45843794a5de5e691cc7cf775198b56941ab8cc579237bb53
Instruction Fuzzy Hash: E631DEB250C610DFE709BF69D88267EFBE1FF98710F12482DE2C586220DB7454808B97

Function 00A0205F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384a8d73664a53ecfea07dd7af1e41d5d3bc6093680b18e3231768c65b3062dd
Instruction ID: ebd2a13f40cf3fd72e51babaf4c38097c957603761e23366eaeb78f35a55d35c
Opcode Fuzzy Hash: 384a8d73664a53ecfea07dd7af1e41d5d3bc6093680b18e3231768c65b3062dd
Instruction Fuzzy Hash: 960124B254020ADBEB10CF04C108A9BB774FF49360F1686A8D8015BA51D3746C98CF48

Function 00A01F05 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ea9b35c855acffdbaca9fb175a79af996371d84bc5f70d6684c1328b74e994
Instruction ID: 63aec5c30f0e6935ff03d52d1695c7be84a696fbc324feada67ceb2c25d9b109
Opcode Fuzzy Hash: e1ea9b35c855acffdbaca9fb175a79af996371d84bc5f70d6684c1328b74e994
Instruction Fuzzy Hash: B0D012703083904FCB80CF25C0C4BA677E6BB80220F0844F9EC48CE116DB248848CB31

Function 00A41F03 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00A3E880: GetCurrentThreadId.KERNEL32 ref: 00A3E88F
Part of subcall function 00A3E880: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00A3E8D2

Part of subcall function 00A42F81: IsBadWritePtr.KERNEL32(?,00000004), ref: 00A42F8F

wsprintfA.USER32 ref: 00A41F49
LoadImageA.USER32(?,?,?,?,?,?), ref: 00A4200D

Strings

%8x, xrefs: 00A41F44, 00A41F47
%8x, xrefs: 00A41FD7, 00A4200A

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: CurrentImageLoadSleepThreadWritewsprintf
String ID: %8x$%8x
API String ID: 2375920415-2046107164
Opcode ID: eef25aca547b01507bc7abe621b63a9f7768a343979ea0bd97fb277c320a8ac1
Instruction ID: d6bf9646c719a8c21d8268a0039fb5bc7b69c1f9628c434b4454d07a6215ec2b
Opcode Fuzzy Hash: eef25aca547b01507bc7abe621b63a9f7768a343979ea0bd97fb277c320a8ac1
Instruction Fuzzy Hash: FC31133590010AFBCF11DF94DD49EAEBFB9FF88710F108126F912A61A1D7719A61DBA0

Function 00A42AD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00E3A54C,00004020,00000000,-11A65FEC), ref: 00A42BC1

Strings

@, xrefs: 00A42B00

Memory Dump Source

Source File: 00000000.00000002.2187284568.0000000000A39000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.2187035190.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187049348.0000000000862000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187062858.0000000000866000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187075545.000000000086A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187090881.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187184243.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187196310.00000000009D4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187213041.00000000009F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187248448.0000000000A25000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187261619.0000000000A33000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187273389.0000000000A34000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187296302.0000000000A44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187307727.0000000000A45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187318530.0000000000A46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187330245.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187343058.0000000000A59000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187355063.0000000000A60000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187368685.0000000000A69000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187381450.0000000000A6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187392833.0000000000A6C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187404683.0000000000A73000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187416039.0000000000A74000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187427635.0000000000A76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187440396.0000000000A7F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187455728.0000000000A83000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187468757.0000000000A84000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187482368.0000000000A85000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187496505.0000000000A8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187509443.0000000000A8E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187521765.0000000000A90000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187535358.0000000000A94000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187547799.0000000000A95000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187560840.0000000000A98000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187575229.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187587911.0000000000AA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187607936.0000000000AC0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187620987.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187638907.0000000000AD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187655088.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000AFB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187677092.0000000000B03000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187704763.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2187716976.0000000000B14000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 5d9337cea5568dcb2ab868f481f8839b3ccb624679cf34cd2c2eb48e20e10a24
Instruction ID: 5c9ad6f5cf46d983ed8f17dbc6a074a4b8b648edbfb7829bb6781e301781b4d1
Opcode Fuzzy Hash: 5d9337cea5568dcb2ab868f481f8839b3ccb624679cf34cd2c2eb48e20e10a24
Instruction Fuzzy Hash: ED316B75504705EFDB25CF44C884B8EBFB0FF44300F508529F95667691C3B4AAA5DB90

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 2804, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 2804, Parent PID: 1028COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 04C515D0 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Function 00A3FF53 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 009F8CC7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97
registryCOMMON

Function 00A40459 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 00A42DB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 009FC7C7 Relevance: 4.6, APIs: 3, Instructions: 62
registryCOMMON

Function 00A3EE33 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 00A40542 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 00A42FCF Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 00A4293B Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 00A3E880 Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Function 04C515C4 Relevance: 1.8, APIs: 1, Instructions: 298
COMMON

Function 00A40FBA Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 00A407D6 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON