Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561554
MD5:	2622ff8859cc5cb9ef7b8f2df061a93d
SHA1:	7ec0a93e5a9a9908a6a5f9a142ca050ab9b06549
SHA256:	2cd2cd5a393e1fc8f4842c58cc3a2f21614cbceb107ba7a9e6921f0ddbe7f1f1
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SIDT)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2622FF8859CC5CB9EF7B8F2DF061A93D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2074967939.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005368DA	0_2_005368DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537443	0_2_00537443
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537464	0_2_00537464
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BD591	0_2_005BD591
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005378D2	0_2_005378D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005368FB	0_2_005368FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005368E1	0_2_005368E1

Source: file.exe, 00000000.00000002.2209197922.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2039050268.00000000003B6000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2751488 > 1048576

Source: file.exe

Static PE information: Raw size of hyqsfdet is bigger than: 0x100000 < 0x299c00

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.3b0000.0.unpack :EW;.rsrc:W;.idata :W;hyqsfdet:EW;vfmexbxk:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2a7cbf should be: 0x2aca4d

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: hyqsfdet
Source: file.exe	Static PE information: section name: vfmexbxk
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005432AA push eax; mov dword ptr [esp], edx	0_2_00547782
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005432AA push ebp; mov dword ptr [esp], esp	0_2_00547790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00536764 push edx; mov dword ptr [esp], 7FF55C07h	0_2_005367E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00536764 push 17CD70C8h; mov dword ptr [esp], ecx	0_2_005367FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00536764 push edi; mov dword ptr [esp], esi	0_2_00536814
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00536764 push eax; mov dword ptr [esp], ebx	0_2_0053682F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005368DA push eax; mov dword ptr [esp], ecx	0_2_0053690A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005368DA push ebx; mov dword ptr [esp], 69DC48E5h	0_2_00536939
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005368DA push 02389D8Ch; mov dword ptr [esp], ebx	0_2_00536969
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005368DA push eax; mov dword ptr [esp], 6DFFE215h	0_2_005369A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003BE9D0 push 545C5E3Fh; mov dword ptr [esp], edx	0_2_003BF11D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544C5B push 6B90B70Ch; mov dword ptr [esp], edi	0_2_00544C72
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544C5B push 38459666h; mov dword ptr [esp], edi	0_2_005464EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544C5B push 53ADE381h; mov dword ptr [esp], esp	0_2_00547D04
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1029 push ebx; mov dword ptr [esp], eax	0_2_003C3B65
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537045 push eax; mov dword ptr [esp], esi	0_2_00537063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537045 push ebx; mov dword ptr [esp], 6657760Fh	0_2_005370A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054904D push edi; mov dword ptr [esp], 2A053123h	0_2_00549070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E4043 push 6B9FB8DEh; mov dword ptr [esp], edi	0_2_005E4065
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00548060 push 20D64200h; mov dword ptr [esp], ebp	0_2_0054A23C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00543062 push 07E38928h; mov dword ptr [esp], edx	0_2_00547A96
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00533002 push 78CE4F96h; mov dword ptr [esp], edx	0_2_0053305E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00533002 push ebp; mov dword ptr [esp], ebx	0_2_005330A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053A000 push edx; ret	0_2_0053A00F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00538038 push 64E1437Ah; mov dword ptr [esp], edx	0_2_0053803D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00538038 push 03D9ACE6h; mov dword ptr [esp], ebp	0_2_005382EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053703E push eax; mov dword ptr [esp], esi	0_2_00537063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053703E push ebx; mov dword ptr [esp], 6657760Fh	0_2_005370A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053A021 push esi; ret	0_2_0053A030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C204B push esi; mov dword ptr [esp], 2A80B467h	0_2_003C31C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003C1044 push 69973661h; mov dword ptr [esp], edx	0_2_003C105F

Source: file.exe

Static PE information: section name: entropy: 7.790368243260483

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5375DE second address: 5375EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F18A106FA6Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5375EC second address: 5375F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5375F6 second address: 5375FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536612 second address: 536618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536779 second address: 536799 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F18A106FA7Ah 0x00000008 jmp 00007F18A106FA74h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536799 second address: 53679D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536C20 second address: 536C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536C26 second address: 536C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536C2C second address: 536C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 536EC8 second address: 536EFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18A0F7F0A9h 0x00000008 jng 00007F18A0F7F096h 0x0000000e jmp 00007F18A0F7F09Eh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 539E20 second address: 539E8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F18A106FA68h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov esi, dword ptr [ebp+122D396Ah] 0x0000002c or dword ptr [ebp+122D1F7Ah], ecx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D369Bh], ecx 0x0000003a or edi, dword ptr [ebp+122D2B97h] 0x00000040 call 00007F18A106FA69h 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F18A106FA6Eh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 539E8A second address: 539F4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F09Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push esi 0x0000000c jc 00007F18A0F7F096h 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jne 00007F18A0F7F0A0h 0x0000001e mov eax, dword ptr [eax] 0x00000020 jmp 00007F18A0F7F09Fh 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a je 00007F18A0F7F098h 0x00000030 push eax 0x00000031 pop eax 0x00000032 jmp 00007F18A0F7F0A1h 0x00000037 popad 0x00000038 pop eax 0x00000039 adc ecx, 7667D1DBh 0x0000003f push 00000003h 0x00000041 mov edi, 5B473BB1h 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push eax 0x0000004b call 00007F18A0F7F098h 0x00000050 pop eax 0x00000051 mov dword ptr [esp+04h], eax 0x00000055 add dword ptr [esp+04h], 00000014h 0x0000005d inc eax 0x0000005e push eax 0x0000005f ret 0x00000060 pop eax 0x00000061 ret 0x00000062 jmp 00007F18A0F7F09Bh 0x00000067 mov dword ptr [ebp+122D1C86h], esi 0x0000006d push 00000003h 0x0000006f ja 00007F18A0F7F0A6h 0x00000075 push 83722EFAh 0x0000007a jl 00007F18A0F7F0A4h 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 539F4B second address: 539F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 539F4F second address: 539FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 43722EFAh 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F18A0F7F098h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 clc 0x00000028 mov dx, bx 0x0000002b lea ebx, dword ptr [ebp+1244FBE4h] 0x00000031 adc di, 3F11h 0x00000036 xchg eax, ebx 0x00000037 jnp 00007F18A0F7F09Eh 0x0000003d push eax 0x0000003e push edi 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 539FA5 second address: 539FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C82B second address: 52C850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F18A0F7F09Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F18A0F7F0A2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C850 second address: 52C859 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557618 second address: 557621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5578EE second address: 5578F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5578F7 second address: 557906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F18A0F7F096h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557906 second address: 557935 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F18A106FA66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F18A106FA6Eh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F18A106FA6Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557935 second address: 557943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A0F7F09Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557943 second address: 557953 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA6Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557953 second address: 557959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557A8D second address: 557A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557C17 second address: 557C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557C1D second address: 557C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F18A106FA6Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557C30 second address: 557C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557C34 second address: 557C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F18A106FA66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C81D second address: 52C82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F18A0F7F096h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 558135 second address: 55814A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18A106FA6Fh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55830F second address: 558315 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54EAC8 second address: 54EAF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pushad 0x00000008 je 00007F18A106FA7Ch 0x0000000e jc 00007F18A106FA66h 0x00000014 jmp 00007F18A106FA70h 0x00000019 jbe 00007F18A106FA6Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54EAF4 second address: 54EB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 ja 00007F18A0F7F096h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54EB01 second address: 54EB07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54EB07 second address: 54EB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F18A0F7F0A0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5241B5 second address: 5241BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5241BB second address: 5241BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5241BF second address: 5241CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F18A106FA68h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55842D second address: 558437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 558D01 second address: 558D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 558D05 second address: 558D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 558E5C second address: 558E61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 558E61 second address: 558E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F18A0F7F09Bh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F036 second address: 55F03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F84B second address: 55F84F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56097A second address: 560983 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 565014 second address: 565020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F18A0F7F096h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 565020 second address: 565024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 565024 second address: 56502A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51D46B second address: 51D488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A106FA75h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51D488 second address: 51D4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F18A0F7F0ACh 0x0000000b jmp 00007F18A0F7F0A0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 564E7C second address: 564EB3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F18A106FA71h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F18A106FA79h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566EA1 second address: 566EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566EAE second address: 566EB8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F18A106FA66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566F27 second address: 566F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566F2F second address: 566F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566F3C second address: 566F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jmp 00007F18A0F7F0A2h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F18A0F7F09Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566F6B second address: 566FC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA75h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F18A106FA6Dh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007F18A106FA75h 0x0000001a pop eax 0x0000001b movzx esi, cx 0x0000001e sub esi, dword ptr [ebp+122D2056h] 0x00000024 call 00007F18A106FA69h 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566FC5 second address: 566FC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566FC9 second address: 566FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566FD6 second address: 566FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F18A0F7F096h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566FE1 second address: 567042 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F18A106FA6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 jns 00007F18A106FA66h 0x00000016 jmp 00007F18A106FA6Fh 0x0000001b popad 0x0000001c push edi 0x0000001d jmp 00007F18A106FA6Ch 0x00000022 pop edi 0x00000023 popad 0x00000024 mov eax, dword ptr [eax] 0x00000026 push edx 0x00000027 jl 00007F18A106FA68h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F18A106FA72h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567042 second address: 567056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567056 second address: 56705C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5671B9 second address: 5671BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5671BF second address: 5671C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5671C3 second address: 5671D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F18A0F7F096h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5671D6 second address: 5671E0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F18A106FA66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 567533 second address: 567557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F18A0F7F0A4h 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e jl 00007F18A0F7F09Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 569962 second address: 569967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56B632 second address: 56B638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C16E second address: 56C174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C174 second address: 56C181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56C181 second address: 56C187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56CBF0 second address: 56CC7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F18A0F7F0A2h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F18A0F7F098h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 xor dword ptr [ebp+12470578h], esi 0x0000002d jns 00007F18A0F7F09Ch 0x00000033 push 00000000h 0x00000035 jmp 00007F18A0F7F09Dh 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edi 0x0000003f call 00007F18A0F7F098h 0x00000044 pop edi 0x00000045 mov dword ptr [esp+04h], edi 0x00000049 add dword ptr [esp+04h], 0000001Ah 0x00000051 inc edi 0x00000052 push edi 0x00000053 ret 0x00000054 pop edi 0x00000055 ret 0x00000056 adc si, 9700h 0x0000005b push eax 0x0000005c pushad 0x0000005d pushad 0x0000005e pushad 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5705ED second address: 57060A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F18A106FA6Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F18A106FA66h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57154F second address: 571571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F18A0F7F0A1h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F18A0F7F098h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57060A second address: 5706A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D36BCh], edx 0x0000000e mov ebx, dword ptr [ebp+124787B0h] 0x00000014 push dword ptr fs:[00000000h] 0x0000001b call 00007F18A106FA76h 0x00000020 mov bx, 02C8h 0x00000024 pop edi 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c mov dword ptr [ebp+122D1E2Eh], edx 0x00000032 mov eax, dword ptr [ebp+122D0339h] 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F18A106FA68h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 jnp 00007F18A106FA66h 0x00000058 push FFFFFFFFh 0x0000005a or ebx, dword ptr [ebp+122D39BEh] 0x00000060 nop 0x00000061 jmp 00007F18A106FA6Ch 0x00000066 push eax 0x00000067 pushad 0x00000068 jmp 00007F18A106FA6Bh 0x0000006d je 00007F18A106FA6Ch 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5737A0 second address: 5737A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5777FD second address: 577860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edi 0x0000000a jmp 00007F18A106FA77h 0x0000000f pop edi 0x00000010 nop 0x00000011 mov ebx, ecx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov edi, dword ptr [ebp+122D37BEh] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 mov dword ptr [ebp+1244FC81h], esi 0x0000002d mov eax, dword ptr [ebp+122D04EDh] 0x00000033 jmp 00007F18A106FA71h 0x00000038 push FFFFFFFFh 0x0000003a mov ebx, 657654E6h 0x0000003f push eax 0x00000040 push esi 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 pop eax 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579527 second address: 57953C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18A0F7F0A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57953C second address: 579568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F18A106FA75h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579568 second address: 57956C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57956C second address: 579575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57B775 second address: 57B77B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57970C second address: 5797B2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F18A106FA66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F18A106FA79h 0x00000015 nop 0x00000016 jmp 00007F18A106FA75h 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov edi, 56C1644Dh 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e adc edi, 5FCEBF00h 0x00000034 mov eax, dword ptr [ebp+122D1381h] 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F18A106FA68h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 jp 00007F18A106FA67h 0x0000005a cld 0x0000005b or dword ptr [ebp+122D3345h], esi 0x00000061 push FFFFFFFFh 0x00000063 mov ebx, 36135E22h 0x00000068 nop 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F18A106FA6Dh 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 578765 second address: 57876B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57B9AE second address: 57B9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5797B2 second address: 5797B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57876B second address: 578771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5797B8 second address: 5797CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c jng 00007F18A0F7F096h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57DA54 second address: 57DA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57EAE8 second address: 57EB2C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F18A0F7F096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e add dword ptr [ebp+122D1C86h], edi 0x00000014 push 00000000h 0x00000016 mov edi, ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F18A0F7F098h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov di, BA86h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c pushad 0x0000003d popad 0x0000003e pop ecx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57DBCB second address: 57DBD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F18A106FA66h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57ED9F second address: 57EDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FCF0 second address: 57FCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58597C second address: 585998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A0F7F0A8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585998 second address: 5859AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F18A106FA66h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5859AA second address: 5859AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5890EF second address: 58911C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F18A106FA72h 0x0000000a jmp 00007F18A106FA71h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58911C second address: 589135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A0F7F0A5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F08B second address: 51F0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F18A106FA73h 0x00000010 jmp 00007F18A106FA6Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F0B5 second address: 51F0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F0B9 second address: 51F0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F0BF second address: 51F0CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F18A0F7F096h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F0CE second address: 51F0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F0D9 second address: 51F0EA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F18A0F7F096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51F0EA second address: 51F0EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 599344 second address: 599349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 599349 second address: 59934E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59AB5B second address: 59AB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007F18A0F7F096h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59AB67 second address: 59AB8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jno 00007F18A106FA66h 0x0000000f jmp 00007F18A106FA74h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 520D08 second address: 520D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1895 second address: 5A1899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0CE8 second address: 5A0CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0CF0 second address: 5A0CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F18A106FA66h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0CFB second address: 5A0D0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18A0F7F09Bh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0D0D second address: 5A0D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F18A106FA66h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0E6B second address: 5A0E82 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F18A0F7F098h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F18A0F7F096h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A114E second address: 5A1152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1152 second address: 5A1156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1156 second address: 5A116D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A106FA71h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A116D second address: 5A1187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A12BF second address: 5A1303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F18A106FA75h 0x0000000e js 00007F18A106FA8Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F18A106FA77h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1303 second address: 5A130D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F18A0F7F096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A15A3 second address: 5A15BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F18A106FA73h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A15BE second address: 5A15D8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F18A0F7F098h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F18A0F7F098h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A15D8 second address: 5A15FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F18A106FA66h 0x0000000a jmp 00007F18A106FA73h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F18A106FA66h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A172D second address: 5A1733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5C15 second address: 5A5C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5C1B second address: 5A5C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5C1F second address: 5A5C29 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F18A106FA66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5D88 second address: 5A5D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5EDB second address: 5A5EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F18A106FA66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6200 second address: 5A6206 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6206 second address: 5A6219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18A106FA6Dh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A65AA second address: 5A65AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A65AE second address: 5A65D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F18A106FA66h 0x0000000e jmp 00007F18A106FA78h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A65D4 second address: 5A65D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F6AE second address: 54F6B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5710 second address: 5A572E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 jg 00007F18A0F7F096h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F18A0F7F0A2h 0x00000016 jng 00007F18A0F7F096h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A572E second address: 5A5732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5732 second address: 5A573A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A573A second address: 5A573E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A573E second address: 5A5748 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC2F6 second address: 5AC305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC305 second address: 5AC31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A0F7F0A5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC490 second address: 5AC4B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 ja 00007F18A106FA78h 0x0000000e jnp 00007F18A106FA66h 0x00000014 jmp 00007F18A106FA6Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC4B4 second address: 5AC4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC4BA second address: 5AC4C4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F18A106FA66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC7BD second address: 5AC7C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC7C7 second address: 5AC7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F18A106FA68h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC7DB second address: 5AC7E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC930 second address: 5AC954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F18A106FA79h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC954 second address: 5AC958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC958 second address: 5AC973 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F18A106FA75h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AC973 second address: 5AC9AC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F18A0F7F0AFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F18A0F7F09Dh 0x00000010 jc 00007F18A0F7F0AFh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ABE9C second address: 5ABEAA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F18A106FA68h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ABEAA second address: 5ABEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ABEAE second address: 5ABECA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA78h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AD214 second address: 5AD277 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A8h 0x00000007 jne 00007F18A0F7F096h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jc 00007F18A0F7F096h 0x00000016 jmp 00007F18A0F7F09Ch 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F18A0F7F0A7h 0x00000023 jmp 00007F18A0F7F0A4h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AD277 second address: 5AD27B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AD27B second address: 5AD292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F18A0F7F096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F18A0F7F098h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AD292 second address: 5AD2B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA77h 0x00000007 jg 00007F18A106FA72h 0x0000000d jnc 00007F18A106FA66h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56582B second address: 5658A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1E2Eh], ebx 0x00000012 lea eax, dword ptr [ebp+1247B5AFh] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F18A0F7F098h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 jl 00007F18A0F7F099h 0x00000038 movsx edx, ax 0x0000003b jo 00007F18A0F7F099h 0x00000041 add dh, 0000004Fh 0x00000044 push eax 0x00000045 jp 00007F18A0F7F0B5h 0x0000004b pushad 0x0000004c jmp 00007F18A0F7F0A7h 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5658A6 second address: 54EAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F18A106FA68h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 call dword ptr [ebp+122D2566h] 0x00000028 js 00007F18A106FA70h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 565D7A second address: 3BDB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push dword ptr [ebp+122D11C9h] 0x00000011 movzx edi, ax 0x00000014 call dword ptr [ebp+122D1DEBh] 0x0000001a pushad 0x0000001b sub dword ptr [ebp+122D3523h], ebx 0x00000021 xor eax, eax 0x00000023 mov dword ptr [ebp+122D3298h], ebx 0x00000029 mov edx, dword ptr [esp+28h] 0x0000002d cld 0x0000002e xor dword ptr [ebp+122D1C8Bh], esi 0x00000034 mov dword ptr [ebp+122D399Eh], eax 0x0000003a jc 00007F18A0F7F097h 0x00000040 stc 0x00000041 mov esi, 0000003Ch 0x00000046 pushad 0x00000047 mov ecx, dword ptr [ebp+122D37FAh] 0x0000004d mov dword ptr [ebp+122D3298h], edx 0x00000053 popad 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 stc 0x00000059 xor dword ptr [ebp+122D3523h], ebx 0x0000005f lodsw 0x00000061 sub dword ptr [ebp+122D3523h], edi 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b jne 00007F18A0F7F09Ch 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 xor dword ptr [ebp+122D3298h], esi 0x0000007b jmp 00007F18A0F7F09Dh 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 pushad 0x00000084 push ecx 0x00000085 pop ecx 0x00000086 pushad 0x00000087 popad 0x00000088 popad 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 565E4E second address: 565E5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 565EDE second address: 565EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 565EE2 second address: 565F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 add dword ptr [esp], 558FB7C0h 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F18A106FA68h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D2BF6h], ebx 0x0000002e call 00007F18A106FA69h 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 565F28 second address: 565F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56606E second address: 566072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566249 second address: 56624D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56624D second address: 566253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566253 second address: 566258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566258 second address: 56625E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56636A second address: 56636E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56636E second address: 566377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566377 second address: 566388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F18A0F7F098h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566388 second address: 5663F8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F18A106FA68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+122D1FF3h] 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F18A106FA68h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d pushad 0x0000002e xor dword ptr [ebp+122D1D17h], esi 0x00000034 jmp 00007F18A106FA70h 0x00000039 popad 0x0000003a mov dx, di 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F18A106FA78h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5663F8 second address: 5663FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5663FC second address: 566402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566402 second address: 566408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56675B second address: 566761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566761 second address: 5667E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ecx, esi 0x0000000e push 0000001Eh 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F18A0F7F098h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a cld 0x0000002b xor edi, 34D40308h 0x00000031 jmp 00007F18A0F7F09Bh 0x00000036 nop 0x00000037 pushad 0x00000038 jg 00007F18A0F7F09Ch 0x0000003e jnl 00007F18A0F7F09Ch 0x00000044 popad 0x00000045 push eax 0x00000046 pushad 0x00000047 jns 00007F18A0F7F09Ch 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F18A0F7F09Ch 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566B50 second address: 566BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007F18A106FA76h 0x0000000f sub dword ptr [ebp+12460696h], esi 0x00000015 pop edi 0x00000016 je 00007F18A106FA72h 0x0000001c pushad 0x0000001d mov edx, dword ptr [ebp+122D39AAh] 0x00000023 mov bx, CAF1h 0x00000027 popad 0x00000028 lea eax, dword ptr [ebp+1247B5F3h] 0x0000002e ja 00007F18A106FA6Bh 0x00000034 mov edi, 66CCE91Ch 0x00000039 push eax 0x0000003a jnl 00007F18A106FA6Ah 0x00000040 push eax 0x00000041 push edx 0x00000042 pop edx 0x00000043 pop eax 0x00000044 mov dword ptr [esp], eax 0x00000047 mov ecx, dword ptr [ebp+122D268Ah] 0x0000004d lea eax, dword ptr [ebp+1247B5AFh] 0x00000053 push 00000000h 0x00000055 push edx 0x00000056 call 00007F18A106FA68h 0x0000005b pop edx 0x0000005c mov dword ptr [esp+04h], edx 0x00000060 add dword ptr [esp+04h], 0000001Bh 0x00000068 inc edx 0x00000069 push edx 0x0000006a ret 0x0000006b pop edx 0x0000006c ret 0x0000006d mov dword ptr [ebp+122D2E85h], eax 0x00000073 movsx edi, di 0x00000076 nop 0x00000077 jl 00007F18A106FA83h 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566BEA second address: 566C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A0F7F0A5h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F18A0F7F09Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 566C11 second address: 54F6AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jo 00007F18A106FA6Eh 0x0000000f jp 00007F18A106FA68h 0x00000015 call dword ptr [ebp+122D36A4h] 0x0000001b jmp 00007F18A106FA70h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jnl 00007F18A106FA66h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B0BAB second address: 5B0BB1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B0BB1 second address: 5B0BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F18A106FA68h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B0D13 second address: 5B0D50 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F18A0F7F096h 0x0000000d jg 00007F18A0F7F096h 0x00000013 jng 00007F18A0F7F096h 0x00000019 jne 00007F18A0F7F096h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F18A0F7F0A9h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B0D50 second address: 5B0D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B0EAA second address: 5B0EB4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F18A0F7F096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B0EB4 second address: 5B0ECF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F18A106FA6Fh 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B0ECF second address: 5B0ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B0ED8 second address: 5B0EDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B102B second address: 5B1049 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F18A0F7F09Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 ja 00007F18A0F7F096h 0x00000016 jo 00007F18A0F7F09Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B11A1 second address: 5B11A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B11A7 second address: 5B11AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B11AB second address: 5B11BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F18A106FA66h 0x0000000e jp 00007F18A106FA66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B11BF second address: 5B11C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B14C5 second address: 5B14DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F18A106FA6Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B1661 second address: 5B1665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B1665 second address: 5B166B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B166B second address: 5B1671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B1671 second address: 5B1678 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B1678 second address: 5B167E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B79CD second address: 5B79E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A106FA6Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B79E0 second address: 5B79EC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F18A0F7F09Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5291F6 second address: 52921B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F18A106FA7Dh 0x0000000e jmp 00007F18A106FA75h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52921B second address: 52924A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18A0F7F0A5h 0x00000009 jmp 00007F18A0F7F0A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD83C second address: 5BD846 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F18A106FA66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD0E3 second address: 5BD0E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD0E9 second address: 5BD0ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD261 second address: 5BD283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F09Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007F18A0F7F096h 0x00000010 je 00007F18A0F7F096h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD283 second address: 5BD2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F18A106FA72h 0x0000000c jg 00007F18A106FA66h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD3F0 second address: 5BD40A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A0h 0x00000007 jl 00007F18A0F7F096h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD40A second address: 5BD41F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BD41F second address: 5BD423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C32D5 second address: 5C32D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C32D9 second address: 5C32E7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F18A0F7F096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C32E7 second address: 5C32EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C32EB second address: 5C32F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C32F1 second address: 5C3334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18A106FA74h 0x00000008 jmp 00007F18A106FA6Ch 0x0000000d popad 0x0000000e jng 00007F18A106FA6Ah 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F18A106FA71h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C347B second address: 5C3485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C35A8 second address: 5C35B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C35B0 second address: 5C35BA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F18A0F7F096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C39BD second address: 5C39C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5665B7 second address: 5665BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5665BC second address: 5665C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F18A106FA66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5665C7 second address: 5665D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F18A0F7F096h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5665D8 second address: 5665FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F18A106FA72h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3B35 second address: 5C3B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A0F7F0A2h 0x00000009 pop ebx 0x0000000a jng 00007F18A0F7F09Ch 0x00000010 jp 00007F18A0F7F096h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C8890 second address: 5C8894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C8894 second address: 5C88BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 jc 00007F18A0F7F096h 0x0000000e jmp 00007F18A0F7F0A3h 0x00000013 pop edi 0x00000014 jnp 00007F18A0F7F09Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7BD8 second address: 5C7BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7BDC second address: 5C7C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A7h 0x00000007 jmp 00007F18A0F7F0A9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F18A0F7F0A2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7DA2 second address: 5C7DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7DA7 second address: 5C7DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F18A0F7F096h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7EF7 second address: 5C7F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A106FA6Dh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7F0B second address: 5C7F11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7F11 second address: 5C7F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7F17 second address: 5C7F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C7F1B second address: 5C7F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C8373 second address: 5C8398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F18A0F7F0B4h 0x0000000b jmp 00007F18A0F7F0A8h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D3901 second address: 5D3905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D19F0 second address: 5D19FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F18A0F7F096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D19FA second address: 5D19FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2282 second address: 5D2288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2288 second address: 5D228E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D228E second address: 5D2294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2294 second address: 5D2298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2298 second address: 5D22BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A3h 0x00000007 je 00007F18A0F7F096h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F18A0F7F096h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D22BD second address: 5D22C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2C32 second address: 5D2C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2C36 second address: 5D2C77 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007F18A106FA77h 0x00000010 pop edi 0x00000011 pushad 0x00000012 jmp 00007F18A106FA6Ch 0x00000017 jmp 00007F18A106FA6Bh 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2C77 second address: 5D2C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2F8F second address: 5D2F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2F93 second address: 5D2FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F18A0F7F096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F18A0F7F0A8h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D32EE second address: 5D32F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F18A106FA66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D6CA5 second address: 5D6CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F18A0F7F096h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D6E09 second address: 5D6E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F18A106FA66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D7325 second address: 5D7329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E43C1 second address: 5E43C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E25D3 second address: 5E25D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E25D9 second address: 5E25DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E25DD second address: 5E25E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E25E1 second address: 5E2625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F18A106FA72h 0x0000000c pop edi 0x0000000d jmp 00007F18A106FA73h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jmp 00007F18A106FA73h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E2A32 second address: 5E2A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F18A0F7F096h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jnl 00007F18A0F7F096h 0x00000012 jmp 00007F18A0F7F09Dh 0x00000017 popad 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007F18A0F7F09Ch 0x00000021 jc 00007F18A0F7F096h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E2A61 second address: 5E2A6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F18A106FA66h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E2A6D second address: 5E2A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E2E6A second address: 5E2E74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E2E74 second address: 5E2E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E3971 second address: 5E397B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E397B second address: 5E397F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA3ED second address: 5EA3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA3F4 second address: 5EA42E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F09Ch 0x00000007 jo 00007F18A0F7F09Eh 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007F18A0F7F096h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b jmp 00007F18A0F7F0A3h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA42E second address: 5EA432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA704 second address: 5EA70A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0E5C second address: 5F0E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0E60 second address: 5F0E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F18A0F7F096h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0E6E second address: 5F0E78 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F18A106FA66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0E78 second address: 5F0E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F18A0F7F09Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F0E8B second address: 5F0E95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F18A106FA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F8F15 second address: 5F8F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F8F1B second address: 5F8F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F8A95 second address: 5F8A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F18A0F7F096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F8A9F second address: 5F8AC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA73h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F18A106FA72h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F8AC0 second address: 5F8AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FC70F second address: 5FC715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FC0B7 second address: 5FC0BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FC0BD second address: 5FC0D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007F18A106FA66h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FC0D0 second address: 5FC0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FC0D5 second address: 5FC0F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 jmp 00007F18A106FA6Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jng 00007F18A106FA91h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 je 00007F18A106FA66h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FC243 second address: 5FC269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jl 00007F18A0F7F096h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 jmp 00007F18A0F7F09Dh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FC269 second address: 5FC26F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60190B second address: 601920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F18A0F7F096h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F18A0F7F096h 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 601920 second address: 60194A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A106FA75h 0x00000007 jno 00007F18A106FA66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 jg 00007F18A106FA66h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60051C second address: 60052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F09Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60052A second address: 600530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600530 second address: 600543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F18A0F7F09Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 606BB0 second address: 606BB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611483 second address: 61148B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6115CA second address: 6115EF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F18A106FA71h 0x00000008 jmp 00007F18A106FA6Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F18A106FA6Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6115EF second address: 61160B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18A0F7F0A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61160B second address: 611611 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6118A3 second address: 6118A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6118A9 second address: 6118B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6118B0 second address: 6118D7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F18A0F7F098h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F18A0F7F09Ah 0x00000013 push ebx 0x00000014 jmp 00007F18A0F7F09Dh 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6172D9 second address: 6172E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F18A106FA66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6172E3 second address: 6172E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6172E7 second address: 617305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F18A106FA76h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 617014 second address: 617027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18A0F7F09Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622947 second address: 62294D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62294D second address: 622953 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622953 second address: 62296A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F18A106FA6Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6250EB second address: 6250F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630DF1 second address: 630E1C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F18A106FA66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F18A106FA73h 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 js 00007F18A106FA7Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63416C second address: 634170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 634170 second address: 634176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 634176 second address: 63417E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63417E second address: 634182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 634182 second address: 634186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 634186 second address: 634198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 634198 second address: 6341B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F18A0F7F0A8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 634340 second address: 63435F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F18A106FA66h 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007F18A106FA66h 0x00000012 jmp 00007F18A106FA6Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63B655 second address: 63B65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63B79D second address: 63B7A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63B7A1 second address: 63B7A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63BD3D second address: 63BD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F18A106FA66h 0x0000000c jbe 00007F18A106FA66h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F18A106FA77h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63BD6F second address: 63BD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63BD73 second address: 63BD7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63BD7D second address: 63BD81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63BEEB second address: 63BEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63BEF1 second address: 63BF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F18A0F7F0A8h 0x0000000d jnl 00007F18A0F7F096h 0x00000013 ja 00007F18A0F7F096h 0x00000019 popad 0x0000001a js 00007F18A0F7F09Ah 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push esi 0x00000023 pop esi 0x00000024 popad 0x00000025 pushad 0x00000026 push edi 0x00000027 jmp 00007F18A0F7F09Fh 0x0000002c pop edi 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 640594 second address: 64059E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F18A106FA66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64059E second address: 6405A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6405A3 second address: 6405AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 645C42 second address: 645C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 645C4C second address: 645C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 648C53 second address: 648C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F18A0F7F09Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6419B3 second address: 6419B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6419B8 second address: 6419BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6419BE second address: 6419CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6419CC second address: 6419D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6419D2 second address: 6419EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jl 00007F18A106FA66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F18A106FA6Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6419EF second address: 641A06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F18A0F7F09Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 641A06 second address: 641A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 641A13 second address: 641A1D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F18A0F7F096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56A000 second address: 56A025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007F18A106FA87h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F18A106FA75h 0x00000015 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 3BDBDD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 3BDAEA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 55EE29 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 580F67 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5659EC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 3BDAE4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5F182D instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4C30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0053A033 rdtsc

0_2_0053A033

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0054B362 sidt fword ptr [esp-02h]

0_2_0054B362

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6648

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00591E1E GetSystemInfo,VirtualAlloc,

0_2_00591E1E

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0053A033 rdtsc

0_2_0053A033

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003BB986 LdrInitializeThunk,

0_2_003BB986

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	271 Virtualization/Sandbox Evasion	Security Account Manager	271 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561554
Start date and time:	2024-11-23 18:35:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.513320898469593
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'751'488 bytes
MD5:	2622ff8859cc5cb9ef7b8f2df061a93d
SHA1:	7ec0a93e5a9a9908a6a5f9a142ca050ab9b06549
SHA256:	2cd2cd5a393e1fc8f4842c58cc3a2f21614cbceb107ba7a9e6921f0ddbe7f1f1
SHA512:	06f778da65c571b9c8015b2040222895d19e0b52433e408cb109e6756710940da87a60a58db5ad3d3f8dd3fb166492a88a1437166880567613fe784e549d5c40
SSDEEP:	24576:uR+b9hOAJnZg6qPWsPr9LE1PT/ZUvZmejnt35RQb5iK1ldIFeiKSMCWMYg9+95+q:u8Y4ZAD57e3UC9QIoT8OsBiW6g
TLSH:	CDD55BA2B50972CFD48E27788527CD42985E87FB472449C39C6DB4BE7D63CC112BAE24
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`.. ...`....@.. ..............................\|*...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6a6000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F18A0F4878Ah
pminub mm5, qword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	e82579ddc3dd2735abe180b697d11ffb	False	0.9325086805555556	data	7.790368243260483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hyqsfdet	0xa000	0x29a000	0x299c00	2dac97108707d00e9c8c9bfabfcc3d94	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vfmexbxk	0x2a4000	0x2000	0x400	ee3fc02627ab7293cd09d0c916a400a5	False	0.7294921875	data	5.8816376064507025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2a6000	0x4000	0x2200	ce64bd372681cdf0f9182856ee67cc3c	False	0.06537224264705882	DOS executable (COM)	0.7750199505449972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	12:35:56
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3b0000
File size:	2'751'488 bytes
MD5 hash:	2622FF8859CC5CB9EF7B8F2DF061A93D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	5.6%
Signature Coverage:	2.5%
Total number of Nodes:	160
Total number of Limit Nodes:	6

Executed Functions

Function 0053A033 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C744AE00,00000003,00000000,00000003,?,?,000000E6), ref: 0053A0FA

Strings

C, xrefs: 0053A179

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: 26e2cd30538b5dc864c6f992a1687aee6d9a5275def79bd6b870172d8851f0fc
Instruction ID: 6c46cd50a0965fe6ea0f5f49068ff32a66e38fb62a4b1b0c61d48e6da0a88fcf
Opcode Fuzzy Hash: 26e2cd30538b5dc864c6f992a1687aee6d9a5275def79bd6b870172d8851f0fc
Instruction Fuzzy Hash: C2412B7618810AAED706CF54C9586EF7F79FB83370F30442AE482D7942D7A50D15E726

Function 00591E1E Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11F15FEC), ref: 00591E2A
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00591E8B

Memory Dump Source

Source File: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: c9ecbf3d0e84be0a4d9916077a11832431a245344d480a2682979216606ba38c
Instruction ID: 22a8f38418c3e535d50f86297658e1b59b7aa4c967869b2626aefe5d1427d4f2
Opcode Fuzzy Hash: c9ecbf3d0e84be0a4d9916077a11832431a245344d480a2682979216606ba38c
Instruction Fuzzy Hash: 2F41E0B5A40607AAE739DF64C845F9ABBACFF48740F1040A2F603CA482E77095D48BA4

Function 005368DA Relevance: 1.6, APIs: 1, Instructions: 115
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 005368DA

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7861eddf6e9bae787f46b71c443533877da2a72b5db76e99064ef7899aa14e50
Instruction ID: efa9aeb0625ec676825703f65aa43d001b4ff05eaa0f70a477c3585dc078cc8f
Opcode Fuzzy Hash: 7861eddf6e9bae787f46b71c443533877da2a72b5db76e99064ef7899aa14e50
Instruction Fuzzy Hash: 85417BB250C210EFE7086F29D89167AFBE5FF84360F128C2EE2C597650D73558808B97

Function 003BB986 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b99794ba604bc677a5cda74c1eb0202774d884fd1af8806cc7749dad175c708
Instruction ID: e27d4faae018bbd9836f104335af136840829e72a5d6de153ef5ee6b7449eb6c
Opcode Fuzzy Hash: 8b99794ba604bc677a5cda74c1eb0202774d884fd1af8806cc7749dad175c708
Instruction Fuzzy Hash: 3AB0921319C428499145A4B85A2A28266428893366338E711E160CAB4BCA408041619A

Function 0058BC9C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 0058BDAD
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0058BDC1

Strings

.dll, xrefs: 0058BCE4
1002, xrefs: 0058BD77
.exe, xrefs: 0058BD08

Memory Dump Source

Source File: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: eb45c979fe4b261437bc6946b95e148b5ab126a9fd9629c020d0f1edb4058af6
Instruction ID: 0e09e56aa44af904da39fb8188f713bc9d125c9c88c89adf68410aaf46d2e9af
Opcode Fuzzy Hash: eb45c979fe4b261437bc6946b95e148b5ab126a9fd9629c020d0f1edb4058af6
Instruction Fuzzy Hash: 7C315631401106FFEF15BF54D908AAD7FB9FF48310F258666FD02AA161C7319AA1EBA1

Function 005432AA Relevance: 4.6, APIs: 3, Instructions: 110
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 005470DB
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00547102
GetNativeSystemInfo.KERNELBASE(?), ref: 00547159

Memory Dump Source

Source File: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: a99982f1ebef59eea75a12d7b4ba10bb40b970fffb3f2a69b4865ad710a8a052
Instruction ID: b731e154e9eaba2b64cb61319df0b374a2c6e8ab16c6319ccbbea8e6d7dc313f
Opcode Fuzzy Hash: a99982f1ebef59eea75a12d7b4ba10bb40b970fffb3f2a69b4865ad710a8a052
Instruction Fuzzy Hash: CF413EB110860EEFEB11DF50C884BEE7BA8FF14308F114829EA8286950E7765DA4DF59

Function 00539F7E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00539FB5

Strings

C, xrefs: 0053A179

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: 080b224157506a3ae47f1822646e2330f2c8853044a61c9a183f5fe73e7ab888
Instruction ID: c4399476588f7c06a3f740c66ebd461b3cf9399a040cbeb1a6c5274052bd25d6
Opcode Fuzzy Hash: 080b224157506a3ae47f1822646e2330f2c8853044a61c9a183f5fe73e7ab888
Instruction Fuzzy Hash: C731FCBA14810A6EA702CF549A449FF7F7DF6C6730F304436F842C2901E7A20D099635

Function 0058AB7C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 0058ABDE

Strings

\\?\, xrefs: 0058AC39

Memory Dump Source

Source File: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: 8c855b71f2d4379f019321067b7832776d60b51927e5d59763a24bd1dd01f7cd
Instruction ID: 4589b37594f346577f4f4dfdb9778868186bb97443e2a4f0bd09a60b5fb379a5
Opcode Fuzzy Hash: 8c855b71f2d4379f019321067b7832776d60b51927e5d59763a24bd1dd01f7cd
Instruction Fuzzy Hash: 52310A35A0120ABFEF21EF94C84AF9E7A75BF48305F000156FE01B5060D77299A1DF52

Function 00536764 Relevance: 1.6, APIs: 1, Instructions: 117
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00536764

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 26cea41fbc737044ad61197b4f96e54c9553ac58830d829c6c23134db7398377
Instruction ID: 58393108cd0e7254a111f6496caa7666022c245cc5924c55b1c3891acd4c2e09
Opcode Fuzzy Hash: 26cea41fbc737044ad61197b4f96e54c9553ac58830d829c6c23134db7398377
Instruction Fuzzy Hash: 51314CF240C610EFE705AF24EC866BABBE8FF44364F164C2DE6C5C2610E63558448B57

Function 00539C8F Relevance: 1.6, APIs: 1, Instructions: 81
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,DAC0AA2C,00000003,00000000,00000003,00000000), ref: 00539DDB

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: aea37631c0940348e9fac09e9775d861dee324bececa333938cc7cd2bbedb157
Instruction ID: 797e6cad26a2a6cd191ff80ce4c974704267f7727dca4c532d6eb10e4e96094d
Opcode Fuzzy Hash: aea37631c0940348e9fac09e9775d861dee324bececa333938cc7cd2bbedb157
Instruction Fuzzy Hash: 7121A4F644D2966FE3028F609A527BA7FA4FB42320F214C66F546CB582D3D50E0497A1

Function 0053A099 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C744AE00,00000003,00000000,00000003,?,?,000000E6), ref: 0053A0FA

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d516133d4d5a4f0bb5bb5a91a023bc4dd6b2d26ecd8c7a7c6443967b57a65e71
Instruction ID: 30956ab67d700860e8d61d30cfbb3a55af03b9e013feee37c20345e8c453c298
Opcode Fuzzy Hash: d516133d4d5a4f0bb5bb5a91a023bc4dd6b2d26ecd8c7a7c6443967b57a65e71
Instruction Fuzzy Hash: 3721277144D3976FD70A8F64CC5879E3F65FB92760F24848AE4C18B482D7611C05E35B

Function 00539D09 Relevance: 1.6, APIs: 1, Instructions: 72
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,DAC0AA2C,00000003,00000000,00000003,00000000), ref: 00539DDB

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 961afd43daa9a6f2909be5be24bac398bdca9d00416afa44ff1b9b09ac0bd8a9
Instruction ID: 896dd8c13798a4a75747033cc1710a806659efe8a936b8e9a8376533c1be50be
Opcode Fuzzy Hash: 961afd43daa9a6f2909be5be24bac398bdca9d00416afa44ff1b9b09ac0bd8a9
Instruction Fuzzy Hash: 4A110AE614C2966DD3039A205E62B7A3F64FF83324F210C56F546CB1C3C2D50A0493B1

Function 00539CB9 Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,DAC0AA2C,00000003,00000000,00000003,00000000), ref: 00539DDB

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 36144abaf681dc63d966b9d4cbcda2caf15d072ee9211532b09a4def201dd741
Instruction ID: d6b37480397dd58676cae9db4b4e7c73324224faac30ca9c404192226550ff0b
Opcode Fuzzy Hash: 36144abaf681dc63d966b9d4cbcda2caf15d072ee9211532b09a4def201dd741
Instruction Fuzzy Hash: 9A11A7F254C2926EE3128F105E62B7B7FA8BB42734F214C6AF546DB182D2E40A0497A5

Function 04AB0D43 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04AB0DCD

Memory Dump Source

Source File: 00000000.00000002.2210429257.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ab0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: d03bd787735ed5053db0c18eb9e9ba405c24eea633c788499747f461f6e1b1ee
Instruction ID: f9a4ee10227afd2792940988a2a0fd695704f9ada45633bf7155b8aa0a091079
Opcode Fuzzy Hash: d03bd787735ed5053db0c18eb9e9ba405c24eea633c788499747f461f6e1b1ee
Instruction Fuzzy Hash: AC2127B6C052189FCB50CFA9D885ADEFBF4FF88320F14851AD908AB245D734A545CBA4

Function 04AB0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04AB0DCD

Memory Dump Source

Source File: 00000000.00000002.2210429257.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ab0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: d7fccb0495b63171e90b147f88fa1988fd74da29e94e7b1b6fd0930040e01bd7
Instruction ID: ddbc15a88ae9c17348a37a627f7b42bb8f340ab02a29fb18952943fc678c78af
Opcode Fuzzy Hash: d7fccb0495b63171e90b147f88fa1988fd74da29e94e7b1b6fd0930040e01bd7
Instruction Fuzzy Hash: F82124B6C052189FCB50CFA9D884ADEFBF4FF88320F14861AD908AB245D734A540CBA4

Function 00544C5B Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00544C67

Memory Dump Source

Source File: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10a2ff08bd32d99d8f7b9e5a0a2f9cca5fbfa15c39899eed463dd43ce737a652
Instruction ID: 1ee1570b51ccd9075135a633996c1b77fa17a6815205afaa372c5b4ed81b6444
Opcode Fuzzy Hash: 10a2ff08bd32d99d8f7b9e5a0a2f9cca5fbfa15c39899eed463dd43ce737a652
Instruction Fuzzy Hash: E01125B650CA44DFD3016F19D885ABEBBE4FF98314F22092DEAC543620EB3198609B47

Function 04AB1509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04AB1580

Memory Dump Source

Source File: 00000000.00000002.2210429257.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ab0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 83117962637dfda30bd5c31c06cee776b88252294f41f31ce3fdd09c2b82bf87
Instruction ID: b06d7fb4d4078dd855c190a78356601232dbee9147b706c89d91575b743b832e
Opcode Fuzzy Hash: 83117962637dfda30bd5c31c06cee776b88252294f41f31ce3fdd09c2b82bf87
Instruction Fuzzy Hash: 372103B59002499FDB10CFAAC584BDEFBF4EB48320F108429E958A7241D378A645CFA5

Function 00539D2E Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,DAC0AA2C,00000003,00000000,00000003,00000000), ref: 00539DDB

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5e7e741503103f6f1a0624a1677d4a7dbd9d16cb1c7b0704ba1bb95bb425d707
Instruction ID: f24f7083020654b5a7a06d975959bc6a9b719ae9c88820cff6fdc817aebfd8c2
Opcode Fuzzy Hash: 5e7e741503103f6f1a0624a1677d4a7dbd9d16cb1c7b0704ba1bb95bb425d707
Instruction Fuzzy Hash: 7701FCB204C2616DE3524E2059A2BFB7F98EF81734F344C69F1818B082C2D10A0987A1

Function 04AB1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04AB1580

Memory Dump Source

Source File: 00000000.00000002.2210429257.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ab0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 012e43e4a8fc239e1507c8e49928ea36c119ff4c4ca29c5ec4a95cd48da13760
Instruction ID: be73e123c2446412b692534acf72572fbdb900aca78c9c9d5fd78adadee9e337
Opcode Fuzzy Hash: 012e43e4a8fc239e1507c8e49928ea36c119ff4c4ca29c5ec4a95cd48da13760
Instruction Fuzzy Hash: FC11E4B59002499FDB10CF9AC584BDEFBF8EB48320F108429E959A3251D378A644CFA5

Function 00539CF4 Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,DAC0AA2C,00000003,00000000,00000003,00000000), ref: 00539DDB

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0620352a3780995e2422c9072ade3d884eb7b393f94cf68c686c6b0eed61393c
Instruction ID: aef25d9e0d92eeafbcd09b212c6933694b40636c9805ecabd4905690a6584c1a
Opcode Fuzzy Hash: 0620352a3780995e2422c9072ade3d884eb7b393f94cf68c686c6b0eed61393c
Instruction Fuzzy Hash: 5D01F4F314C162ADE6028E505AA3BBE7F98FB81734F304C26F6469F581C2D00A14E7A1

Function 04AB1301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04AB1367

Memory Dump Source

Source File: 00000000.00000002.2210429257.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ab0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: fe2f2c2add1690036c0c18603fd1929b45e07f840dcc2a41d73c85e62a1c54e5
Instruction ID: 33aae435df7399f857978f64ebaa4decf7f1c301aec3a5474179a534099525df
Opcode Fuzzy Hash: fe2f2c2add1690036c0c18603fd1929b45e07f840dcc2a41d73c85e62a1c54e5
Instruction Fuzzy Hash: 521113B18002498FDB10DF9AC445BEEFBF8EF48324F24841AD558A3241D778A544CBA5

Function 04AB1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04AB1367

Memory Dump Source

Source File: 00000000.00000002.2210429257.0000000004AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ab0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 2c5236a05596a6e0fb47ea4d83bdca47951d0a0251868f87cda998502cd146ad
Instruction ID: 93a3172be0fa398dbf1b058231f2492ec0989075c3393e462180b5e40766ced5
Opcode Fuzzy Hash: 2c5236a05596a6e0fb47ea4d83bdca47951d0a0251868f87cda998502cd146ad
Instruction Fuzzy Hash: 781125B18003498FDB10CF9AC444BDEBBF8EB48320F20841AD558A3241D778A544CBA5

Function 00539D5A Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,DAC0AA2C,00000003,00000000,00000003,00000000), ref: 00539DDB

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b1ac5ec1cfb9dbf07df68253e23f98144a217138b36c6a4f3d0355c72bc3721d
Instruction ID: 1610e9cce4cdc0dfc4677007e3a6c88b575c741498aaf26bdc3e9d5e8a62a707
Opcode Fuzzy Hash: b1ac5ec1cfb9dbf07df68253e23f98144a217138b36c6a4f3d0355c72bc3721d
Instruction Fuzzy Hash: 78F0E9B354C2325ED741DE2099E6BAF7BA4EF90320F110C29E6459B6C1C3D11A05CBD5

Function 00539D92 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,DAC0AA2C,00000003,00000000,00000003,00000000), ref: 00539DDB

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5fd4fe9916b385691a8a6dd275678dc937c4acda9475a3226a96168c746abe74
Instruction ID: 6f8b93db6a142b70b2302db093a4116523a47db21c8bc428408564a1a9d1af0f
Opcode Fuzzy Hash: 5fd4fe9916b385691a8a6dd275678dc937c4acda9475a3226a96168c746abe74
Instruction Fuzzy Hash: 8FE026F0005163ABDB16EF20CDABBDFBF84AF11340F150829E10157586C3E422088FE9

Function 00539DBE Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,DAC0AA2C,00000003,00000000,00000003,00000000), ref: 00539DDB

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e910c56a5ad3138a7bd3c7bf277a0da44ae10ae34e79676543ec59eb2710895d
Instruction ID: 0a3c924fe416c18e1dc82ee0681abc2deca548c8cf7e599943469cddb2315fde
Opcode Fuzzy Hash: e910c56a5ad3138a7bd3c7bf277a0da44ae10ae34e79676543ec59eb2710895d
Instruction Fuzzy Hash: 60D022F00053A238D31317700C83B6FAF9C5FA2600F04081AF000C7882C2C01A0042B9

Function 0058A79A Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 0058A7FE

Memory Dump Source

Source File: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: e0b2505927fd098fbb678082f3a89281936048f97ffa3c7c7801559c273faa88
Instruction ID: add4875f875fe704469516370b6d4e120c4dfebbeb8ce8cea4252ccaf564309a
Opcode Fuzzy Hash: e0b2505927fd098fbb678082f3a89281936048f97ffa3c7c7801559c273faa88
Instruction Fuzzy Hash: 1B01D236A0050ABFDF12AFA5DC08D9EBF76FF48741F008162E801A5060D7328A62EF61

Function 003BE9D0 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 003BF0F5

Memory Dump Source

Source File: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f263e3574962f14b37476be05d0b0103ab7cdb4ab9d041576abca2fde4cb095
Instruction ID: 2669332d9cca9b0420a5a1dd298e4591948c93568542ae5ac6f0849c992b3940
Opcode Fuzzy Hash: 1f263e3574962f14b37476be05d0b0103ab7cdb4ab9d041576abca2fde4cb095
Instruction Fuzzy Hash: ACF04F7150C615CFD7497F68D4452FE77A4EF00325F22492DEAD64AA80EB354890DF8B

Non-executed Functions

Function 00537443 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

{Sg, xrefs: 005373F7

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID:
String ID: {Sg
API String ID: 0-1832330743
Opcode ID: 9911139678b791f6e6194726d9b0cb65c0026ad341024b0f2f6e26417e975bca
Instruction ID: 8dc22d55861085c9499812c1daaf97fff0474e1db4f773b80565ead7f64c152e
Opcode Fuzzy Hash: 9911139678b791f6e6194726d9b0cb65c0026ad341024b0f2f6e26417e975bca
Instruction Fuzzy Hash: 5F5152B281C210AFE711AF15E8816BAFBE9FF58320F16492EEAD4C3654D33558419B93

Function 005378D2 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b19bb1ea7e428791205a6cfd4b0c60827dca5601720fb6580ecaf9f4322f89
Instruction ID: 1c59d4f82f634698542faab86f83bc86ba80afb23a2bdcaf885da6a75b990656
Opcode Fuzzy Hash: c8b19bb1ea7e428791205a6cfd4b0c60827dca5601720fb6580ecaf9f4322f89
Instruction Fuzzy Hash: 684125F3D0C209DFE3206938ED8567ABFA5F798320F264A3EC69283640E53159419693

Function 005368FB Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1571e9e2f87035ed47570bd5de343c70f8b276da5dbe152b88248809b0ee81b3
Instruction ID: 3ad3e11f4003f931fea3e5a58aa3e165405121072ffb2536a81c6b9c06c9e7b0
Opcode Fuzzy Hash: 1571e9e2f87035ed47570bd5de343c70f8b276da5dbe152b88248809b0ee81b3
Instruction Fuzzy Hash: 47413BB250C210AFE705AF29D8866BAFBE5FF84360F164C2DE6C583650D73594408B97

Function 005368E1 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d2dcc435e2c476690fe37771a1a3eeb08a36a96c8c046c80555b286d00a2ef
Instruction ID: c72d56773ab5f89dac4ed31cc8b35ca107e6ff8d0c9dcee428f90a04e29f09dd
Opcode Fuzzy Hash: 58d2dcc435e2c476690fe37771a1a3eeb08a36a96c8c046c80555b286d00a2ef
Instruction Fuzzy Hash: 46418BB250C210AFE709AF29D88167AFBE4FF84360F168C2EE2C587650D73558808B97

Function 005BD591 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989138f49c48097286a57371f2bf8715347b32be1089370d5c46156d11b214ba
Instruction ID: 9dd442aeca2082e9216a888a52e0a8bd81e96a3586315350afe45dc61dbeb40f
Opcode Fuzzy Hash: 989138f49c48097286a57371f2bf8715347b32be1089370d5c46156d11b214ba
Instruction Fuzzy Hash: A931D5B290C714AFD701AF19DCC16BAFBE9EB98210F16892DE6C493700E63198458682

Function 00537464 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77c1b1b5910edac436bc5158dd6bbc6481dbc07ea7e7a633dda693881ff88c0
Instruction ID: 8af3837a08051db10a024481e103b042557c9d295df945740bdeeeea27eadf40
Opcode Fuzzy Hash: e77c1b1b5910edac436bc5158dd6bbc6481dbc07ea7e7a633dda693881ff88c0
Instruction Fuzzy Hash: C1315CB240C310AFE711AF19E88166EFBF4FF98720F16492EEAD493210C6355891DB97

Function 0054B362 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208464773.0000000000540000.00000040.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.2208158341.00000000003B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208179874.00000000003B2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208204659.00000000003B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208228072.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208246772.00000000003C4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208264843.00000000003C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208285912.00000000003C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208380406.0000000000518000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208398882.000000000051A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208418290.000000000053E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208450620.000000000053F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208484433.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208500280.000000000055A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208518883.0000000000576000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208536235.0000000000580000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208551280.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208566105.0000000000591000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208579297.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208594371.0000000000595000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208611859.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208626193.00000000005A7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208639760.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208655074.00000000005B8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208671493.00000000005C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208686077.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208699819.00000000005CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208712980.00000000005CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208730729.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746728.00000000005DD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208760807.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208774807.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208809019.0000000000631000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208823727.0000000000632000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208838696.000000000063D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208853464.000000000063E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.000000000063F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208868425.0000000000645000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208898991.0000000000654000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208934942.0000000000656000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c6a0a32d0a8d345a7a8d472e4be41eae9c3ed37be8642a3767a8b2db4ee79
Instruction ID: 8b160156fd118964b79cd94f687dee1ad99a02ac94fe3e0b42481f452e3e9170
Opcode Fuzzy Hash: 9c1c6a0a32d0a8d345a7a8d472e4be41eae9c3ed37be8642a3767a8b2db4ee79
Instruction Fuzzy Hash: 1DE04676009201AED7009F55C859A9FFBF8FF19321F648889F884CB662C3358C42CB2A

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 4508, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 4508, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Function 0053A033 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150fileCOMMON

Windows Analysis Report
file.exe

Function 0053A033 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150
fileCOMMON

Function 00591E1E Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 005368DA Relevance: 1.6, APIs: 1, Instructions: 115
libraryCOMMON

Function 0058BC9C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 005432AA Relevance: 4.6, APIs: 3, Instructions: 110
registryCOMMON

Function 00539F7E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133
fileCOMMON

Function 0058AB7C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 00536764 Relevance: 1.6, APIs: 1, Instructions: 117
libraryCOMMON

Function 00539C8F Relevance: 1.6, APIs: 1, Instructions: 81
fileCOMMON

Function 0053A099 Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 00539D09 Relevance: 1.6, APIs: 1, Instructions: 72
fileCOMMON

Function 00539CB9 Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Function 04AB0D43 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON