Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561601
MD5:	d27d27fdfe69910143acccb36fa235c7
SHA1:	54ebcd4e030705bfc7852765fa39c354710ace21
SHA256:	227bd583a8e440e3e3d0eefa2941011e2b17d9b23cb35122a5131a455ed2e3d1
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D27D27FDFE69910143ACCCB36FA235C7)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0100FD05 CryptVerifySignatureA,

0_2_0100FD05

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1777886298.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5001	0_2_00FB5001
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB53BB	0_2_00FB53BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103FCD3	0_2_0103FCD3

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 0100ACFA appears 35 times

Source: file.exe, 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2756608 > 1048576

Source: file.exe

Static PE information: Raw size of wtynnlzu is bigger than: 0x100000 < 0x29b000

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W;wtynnlzu:EW;mwtvpzpt:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2afe9e should be: 0x2a5e42

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: wtynnlzu
Source: file.exe	Static PE information: section name: mwtvpzpt
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB93A6 push 5FB49988h; mov dword ptr [esp], eax	0_2_00FB93D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB93A6 push ebx; mov dword ptr [esp], 7BF9C746h	0_2_00FB941B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB94E0 push ebp; mov dword ptr [esp], 3AFEBCECh	0_2_00FB9578
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB94E0 push 05999C21h; mov dword ptr [esp], ebx	0_2_00FB95A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB94E0 push 582F252Fh; mov dword ptr [esp], eax	0_2_00FB95AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB94E0 push edx; mov dword ptr [esp], esi	0_2_00FB95CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB94E0 push 318A98B4h; mov dword ptr [esp], edx	0_2_00FB9689
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3D0EB push ebx; mov dword ptr [esp], 07E2D440h	0_2_00E3D122
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBA0F4 push esi; mov dword ptr [esp], ecx	0_2_00FBA118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBA0F4 push ebx; mov dword ptr [esp], eax	0_2_00FBA14B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB70EC push eax; mov dword ptr [esp], 57F7C66Ah	0_2_00FB70ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBF0AC push eax; mov dword ptr [esp], 660E8A82h	0_2_00FBF0AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102515A push edx; mov dword ptr [esp], ebx	0_2_01025C69
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102515A push 37212924h; mov dword ptr [esp], ebp	0_2_01025CF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB60A0 push esi; mov dword ptr [esp], 5DCE6232h	0_2_00FB659A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3D0BD push ebp; mov dword ptr [esp], eax	0_2_00E3D0C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4108D push ecx; mov dword ptr [esp], edx	0_2_00E43AF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4108D push eax; mov dword ptr [esp], edx	0_2_00E43AFE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3D08D push ecx; mov dword ptr [esp], 5D7FCCE1h	0_2_00E3D09C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBD082 push edi; mov dword ptr [esp], 165B7C32h	0_2_00FBD08B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3F09F push 1605EB49h; mov dword ptr [esp], eax	0_2_00E3F794
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3D075 push 4BA3E638h; mov dword ptr [esp], ecx	0_2_00E3D085
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB6066 push 1702D192h; mov dword ptr [esp], eax	0_2_00FB6A2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3F047 push edi; mov dword ptr [esp], ebx	0_2_00E3F04E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010961B9 push 7C0CFD32h; mov dword ptr [esp], esi	0_2_01096203
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010961B9 push 53AC7BE4h; mov dword ptr [esp], ebp	0_2_01096220
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E41027 push 28DD837Fh; mov dword ptr [esp], ebp	0_2_00E41033
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010491CA push 5986F991h; mov dword ptr [esp], eax	0_2_010491F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010491CA push ecx; mov dword ptr [esp], esp	0_2_01049237
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4103B push ebx; mov dword ptr [esp], ecx	0_2_00E43110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB5001 push eax; mov dword ptr [esp], edx	0_2_00FB50F0

Source: file.exe

Static PE information: section name: entropy: 7.816173520616023

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E494 second address: E3DD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007FD5DD2E30F4h 0x0000000c nop 0x0000000d jc 00007FD5DD2E30ECh 0x00000013 mov dword ptr [ebp+122D2A49h], esi 0x00000019 push dword ptr [ebp+122D1309h] 0x0000001f clc 0x00000020 call dword ptr [ebp+122D1DC2h] 0x00000026 pushad 0x00000027 jns 00007FD5DD2E30FAh 0x0000002d xor eax, eax 0x0000002f jp 00007FD5DD2E30ECh 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 stc 0x0000003a mov dword ptr [ebp+122D3A66h], eax 0x00000040 jmp 00007FD5DD2E30F9h 0x00000045 mov esi, 0000003Ch 0x0000004a mov dword ptr [ebp+122D2A72h], eax 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 pushad 0x00000055 jns 00007FD5DD2E30FFh 0x0000005b popad 0x0000005c pushad 0x0000005d jp 00007FD5DD2E30E8h 0x00000063 sbb si, E07Ch 0x00000068 popad 0x00000069 lodsw 0x0000006b mov dword ptr [ebp+122D1D90h], esi 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 add dword ptr [ebp+122D1D9Bh], ebx 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f jnc 00007FD5DD2E30F4h 0x00000085 push eax 0x00000086 jc 00007FD5DD2E3102h 0x0000008c push eax 0x0000008d push edx 0x0000008e jmp 00007FD5DD2E30F4h 0x00000093 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB925E second address: FB9273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DCDD3281h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9273 second address: FB927D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD5DD2E30F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB927D second address: FB9283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB951E second address: FB9564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FD5DD2E30F7h 0x0000000b jmp 00007FD5DD2E30EAh 0x00000010 jmp 00007FD5DD2E30EFh 0x00000015 popad 0x00000016 popad 0x00000017 jne 00007FD5DD2E3100h 0x0000001d push eax 0x0000001e push edx 0x0000001f js 00007FD5DD2E30E6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB96B3 second address: FB96B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB96B9 second address: FB96ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FD5DD2E310Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9848 second address: FB985D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 jns 00007FD5DCDD327Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB99A0 second address: FB99A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB99A4 second address: FB99AA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB99AA second address: FB99B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB99B3 second address: FB99BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB99BD second address: FB99DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD5DD2E30F4h 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9B3B second address: FB9B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FD5DCDD3276h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB9B48 second address: FB9B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC8BF second address: FBC8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC8C3 second address: FBC8C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC8C7 second address: FBC8DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD5DCDD327Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC8DC second address: FBC8E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC8E0 second address: FBC940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 430B6381h 0x0000000e mov dx, cx 0x00000011 push 00000003h 0x00000013 je 00007FD5DCDD3287h 0x00000019 jmp 00007FD5DCDD3281h 0x0000001e push 00000000h 0x00000020 jmp 00007FD5DCDD327Eh 0x00000025 push 00000003h 0x00000027 jmp 00007FD5DCDD327Fh 0x0000002c sub dword ptr [ebp+122D1DEBh], esi 0x00000032 push A476C47Bh 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a js 00007FD5DCDD3276h 0x00000040 pop eax 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC940 second address: FBC945 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC945 second address: FBC98D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 6476C47Bh 0x0000000e mov di, 5388h 0x00000012 lea ebx, dword ptr [ebp+12452790h] 0x00000018 pushad 0x00000019 mov esi, 12EDF8EAh 0x0000001e mov edx, dword ptr [ebp+122D2C31h] 0x00000024 popad 0x00000025 jno 00007FD5DCDD327Ch 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FD5DCDD3284h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBC98D second address: FBC9A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DD2E30F1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCA4A second address: FBCAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 add dword ptr [esp], 50561477h 0x0000000d sub dword ptr [ebp+122D1DEBh], edi 0x00000013 push 00000003h 0x00000015 add dword ptr [ebp+122D1FB7h], esi 0x0000001b push 00000000h 0x0000001d mov cl, 64h 0x0000001f push 00000003h 0x00000021 jmp 00007FD5DCDD327Fh 0x00000026 call 00007FD5DCDD3279h 0x0000002b jns 00007FD5DCDD3281h 0x00000031 jmp 00007FD5DCDD327Bh 0x00000036 push eax 0x00000037 jmp 00007FD5DCDD327Ah 0x0000003c mov eax, dword ptr [esp+04h] 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FD5DCDD327Ch 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCAB1 second address: FBCAEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c jmp 00007FD5DD2E30EAh 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 jmp 00007FD5DD2E30F1h 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCAEE second address: FBCAF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCAF2 second address: FBCB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 clc 0x00000009 lea ebx, dword ptr [ebp+12452799h] 0x0000000f adc si, 8C89h 0x00000014 push eax 0x00000015 push eax 0x00000016 pushad 0x00000017 jnp 00007FD5DD2E30E6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCB8D second address: FBCB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCB91 second address: FBCBD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b mov dl, bl 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D2A94h], ebx 0x00000015 call 00007FD5DD2E30E9h 0x0000001a jmp 00007FD5DD2E30EDh 0x0000001f push eax 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD5DD2E30F4h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCBD9 second address: FBCBDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCBDD second address: FBCBF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD5DD2E30EDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCBF7 second address: FBCC08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DCDD327Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCC08 second address: FBCC0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCC0C second address: FBCC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jo 00007FD5DCDD3280h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCC21 second address: FBCC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FD5DD2E30E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCC34 second address: FBCC3A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBCC3A second address: FBCC8E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FD5DD2E30E6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov edx, 15FC4493h 0x00000012 mov edi, esi 0x00000014 push 00000003h 0x00000016 jbe 00007FD5DD2E30F3h 0x0000001c push 00000000h 0x0000001e sbb si, 7909h 0x00000023 movzx esi, bx 0x00000026 push 00000003h 0x00000028 mov dword ptr [ebp+122D2B72h], esi 0x0000002e push ACF992EEh 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FD5DD2E30F2h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD4A4 second address: FCD4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD4A9 second address: FCD4C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FCD4C9 second address: FCD4CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDBBFF second address: FDBC19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD5DD2E30ECh 0x0000000d js 00007FD5DD2E30E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDBC19 second address: FDBC1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9C3C second address: FD9C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9C40 second address: FD9C56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD3282h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9C56 second address: FD9C5B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD9F31 second address: FD9F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDA444 second address: FDA44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD5DD2E30E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDAB3E second address: FDAB42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDAB42 second address: FDAB46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDAB46 second address: FDAB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD5DCDD3276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jc 00007FD5DCDD3276h 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FABADA second address: FABAEA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD5DD2E30E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDACAD second address: FDACB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDB643 second address: FDB668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30F5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jo 00007FD5DD2E30E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDB668 second address: FDB66C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDEEA9 second address: FDEEB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FD5DD2E30E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE2619 second address: FE2620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE13AD second address: FE13B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE13B2 second address: FE13B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA8526 second address: FA8558 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD5DD2E30EBh 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007FD5DD2E30F1h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE8CE6 second address: FE8D06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DCDD327Eh 0x00000009 jmp 00007FD5DCDD327Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE8D06 second address: FE8D15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007FD5DD2E30E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE8D15 second address: FE8D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD5DCDD3276h 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push esi 0x00000012 pop esi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE89E3 second address: FE8A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD5DD2E30F1h 0x0000000d jmp 00007FD5DD2E30F1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FE8A0D second address: FE8A19 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD5DCDD327Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEB57C second address: FEB581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEB729 second address: FEB746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DCDD3289h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEB9BA second address: FEB9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEB9BE second address: FEB9D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DCDD3282h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEBA82 second address: FEBA92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEBA92 second address: FEBA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEBA98 second address: FEBA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEC14B second address: FEC153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEC301 second address: FEC307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEC307 second address: FEC30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FECB84 second address: FECB8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FECB8A second address: FECB8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEE64B second address: FEE65E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD5DD2E30EBh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEF037 second address: FEF05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 xor dword ptr [ebp+122DBB43h], eax 0x0000000f push 00000000h 0x00000011 add dword ptr [ebp+1244C026h], ecx 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a pop esi 0x0000001b push eax 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jns 00007FD5DCDD3276h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEF05C second address: FEF060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEFA42 second address: FEFAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FD5DCDD3278h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 sbb esi, 1B4201B2h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007FD5DCDD3278h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 0000001Ch 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 jnl 00007FD5DCDD3290h 0x0000004d push 00000000h 0x0000004f mov edi, dword ptr [ebp+122D2CA7h] 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push ebx 0x00000059 push ebx 0x0000005a pop ebx 0x0000005b pop ebx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEFAC8 second address: FEFADC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FD5DD2E30E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF05C4 second address: FF05C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1A53 second address: FF1A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+12452AC7h], edi 0x00000010 push 00000000h 0x00000012 mov di, cx 0x00000015 push 00000000h 0x00000017 mov esi, dword ptr [ebp+122D3BF6h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD5DD2E30EFh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1A8B second address: FF1A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF1A91 second address: FF1A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3500 second address: FF3507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF3507 second address: FF3512 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FD5DD2E30E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF5474 second address: FF54C8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD5DCDD3276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D2CEDh], esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FD5DCDD3278h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 stc 0x00000031 add ebx, 6CF7DD00h 0x00000037 movzx edi, di 0x0000003a push 00000000h 0x0000003c mov edi, ebx 0x0000003e push eax 0x0000003f push ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FD5DCDD327Dh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF2352 second address: FF2357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF6473 second address: FF647D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD5DCDD3276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF660E second address: FF66B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FD5DD2E30E8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 add dword ptr [ebp+122D20D8h], eax 0x00000029 mov dword ptr [ebp+122D1DEBh], eax 0x0000002f push dword ptr fs:[00000000h] 0x00000036 clc 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov edi, ebx 0x00000040 jmp 00007FD5DD2E30F2h 0x00000045 mov eax, dword ptr [ebp+122D0B9Dh] 0x0000004b push 00000000h 0x0000004d push esi 0x0000004e call 00007FD5DD2E30E8h 0x00000053 pop esi 0x00000054 mov dword ptr [esp+04h], esi 0x00000058 add dword ptr [esp+04h], 0000001Ch 0x00000060 inc esi 0x00000061 push esi 0x00000062 ret 0x00000063 pop esi 0x00000064 ret 0x00000065 push FFFFFFFFh 0x00000067 mov bh, EEh 0x00000069 nop 0x0000006a jmp 00007FD5DD2E30EDh 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 jnp 00007FD5DD2E30E6h 0x00000079 jo 00007FD5DD2E30E6h 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF77DB second address: FF77E8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8812 second address: FF8816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF77E8 second address: FF77EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8816 second address: FF8828 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FD5DD2E30E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF8828 second address: FF882C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA7DA second address: FFA7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFA7DE second address: FFA7F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD5DCDD327Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF9995 second address: FF999B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF999B second address: FF99BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD3284h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FD5DCDD3276h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FF99BE second address: FF99C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFB7A0 second address: FFB7A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFB7A4 second address: FFB7A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFC78F second address: FFC7FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FD5DCDD3276h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FD5DCDD3278h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122DBB43h], ebx 0x00000032 jmp 00007FD5DCDD3288h 0x00000037 popad 0x00000038 push 00000000h 0x0000003a call 00007FD5DCDD3283h 0x0000003f stc 0x00000040 pop edi 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 push ecx 0x00000045 pushad 0x00000046 popad 0x00000047 pop ecx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFD770 second address: FFD782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DD2E30EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF811 second address: FFF87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FD5DCDD327Fh 0x0000000c nop 0x0000000d sub dword ptr [ebp+122D2A15h], edx 0x00000013 jo 00007FD5DCDD327Ah 0x00000019 mov di, 9E29h 0x0000001d push 00000000h 0x0000001f mov edi, 44CD93CAh 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007FD5DCDD3278h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 adc edi, 326705F0h 0x00000046 mov dword ptr [ebp+1244CB59h], ecx 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jns 00007FD5DCDD3276h 0x00000056 push ecx 0x00000057 pop ecx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF87A second address: FFF897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jg 00007FD5DD2E30E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FD5DD2E30ECh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFC960 second address: FFC980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD3284h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FD5DCDD3276h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE92C second address: FFE931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE931 second address: FFE944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DCDD327Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE944 second address: FFE9EB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD5DD2E30E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f xor ebx, dword ptr [ebp+122D3BAEh] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov ebx, dword ptr [ebp+1244BFFFh] 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 mov bx, CC39h 0x0000002d mov eax, dword ptr [ebp+122D1681h] 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007FD5DD2E30E8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d mov edi, dword ptr [ebp+122D3B4Eh] 0x00000053 call 00007FD5DD2E30F7h 0x00000058 mov dword ptr [ebp+122DBB56h], ecx 0x0000005e pop ebx 0x0000005f push FFFFFFFFh 0x00000061 push 00000000h 0x00000063 push ecx 0x00000064 call 00007FD5DD2E30E8h 0x00000069 pop ecx 0x0000006a mov dword ptr [esp+04h], ecx 0x0000006e add dword ptr [esp+04h], 00000015h 0x00000076 inc ecx 0x00000077 push ecx 0x00000078 ret 0x00000079 pop ecx 0x0000007a ret 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007FD5DD2E30EEh 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE9EB second address: FFE9EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFE9EF second address: FFE9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FFF9CD second address: FFF9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100292B second address: 100292F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 100292F second address: 1002935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1002A9A second address: 1002AAB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD5DD2E30E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1002AAB second address: 1002B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007FD5DCDD327Dh 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FD5DCDD3278h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 cld 0x00000029 mov ebx, dword ptr [ebp+122D1E8Bh] 0x0000002f push dword ptr fs:[00000000h] 0x00000036 xor di, E381h 0x0000003b mov di, 38D6h 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov bh, ch 0x00000048 jg 00007FD5DCDD327Ch 0x0000004e mov eax, dword ptr [ebp+122D0815h] 0x00000054 push 00000000h 0x00000056 push edi 0x00000057 call 00007FD5DCDD3278h 0x0000005c pop edi 0x0000005d mov dword ptr [esp+04h], edi 0x00000061 add dword ptr [esp+04h], 0000001Ch 0x00000069 inc edi 0x0000006a push edi 0x0000006b ret 0x0000006c pop edi 0x0000006d ret 0x0000006e push FFFFFFFFh 0x00000070 mov edi, dword ptr [ebp+122D1D0Dh] 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 jnl 00007FD5DCDD3278h 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1002B4F second address: 1002B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DD2E30F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10090B8 second address: 10090BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10090BC second address: 10090C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1014584 second address: 1014589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10149C0 second address: 10149CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FD5DD2E30E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101B06A second address: 101B093 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD5DCDD3278h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FD5DCDD3287h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 101B093 second address: 101B0CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FD5DD2E30F7h 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 jo 00007FD5DD2E30E8h 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c jmp 00007FD5DD2E30EBh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10204DB second address: 10204F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DCDD327Ch 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jne 00007FD5DCDD3276h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1020D42 second address: 1020D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DD2E30EFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1020D56 second address: 1020D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1020EB8 second address: 1020EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FD5DD2E30F5h 0x0000000b jmp 00007FD5DD2E30F5h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1020EED second address: 1020EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD5DCDD3276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102108A second address: 1021092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102120B second address: 102120F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102120F second address: 102121B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD5DD2E30E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102121B second address: 1021243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD5DCDD3284h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jg 00007FD5DCDD3276h 0x00000010 popad 0x00000011 jnp 00007FD5DCDD327Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102137F second address: 1021398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007FD5DD2E30F1h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1021398 second address: 102139D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1021538 second address: 1021545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FD5DD2E30E6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10216F5 second address: 1021711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DCDD3288h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1024ABB second address: 1024AC9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FD5DD2E30E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102AE5A second address: 102AE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102993B second address: 1029941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029941 second address: 1029978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FD5DCDD3278h 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e jmp 00007FD5DCDD327Ah 0x00000013 jmp 00007FD5DCDD3284h 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jno 00007FD5DCDD3276h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029978 second address: 102997E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029C45 second address: 1029C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029C4B second address: 1029C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029DC6 second address: 1029DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029DCC second address: 1029DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029DD2 second address: 1029DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029DD6 second address: 1029DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029DDF second address: 1029E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD5DCDD3276h 0x0000000a jnp 00007FD5DCDD3276h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD5DCDD3285h 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007FD5DCDD3276h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029E11 second address: 1029E19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029E19 second address: 1029E23 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD5DCDD327Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1029F51 second address: 1029F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102A28D second address: 102A293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102A293 second address: 102A298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102A298 second address: 102A2A2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD5DCDD3282h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102A423 second address: 102A465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007FD5DD2E30F3h 0x0000000d pop ecx 0x0000000e push edx 0x0000000f jo 00007FD5DD2E30E6h 0x00000015 pop edx 0x00000016 popad 0x00000017 pushad 0x00000018 jnp 00007FD5DD2E30EEh 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FD5DD2E30E6h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102A465 second address: 102A469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102A707 second address: 102A711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD5DD2E30E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102A711 second address: 102A715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD3BC1 second address: FD3BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102EF76 second address: 102EF9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD3289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jnc 00007FD5DCDD3276h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102EF9F second address: 102EFCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007FD5DD2E30E6h 0x00000010 jmp 00007FD5DD2E30EEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102EFCD second address: 102EFD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102EFD3 second address: 102EFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102EFD8 second address: 102EFEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FD5DCDD3276h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c ja 00007FD5DCDD3282h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA4A4 second address: FEA4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA4A8 second address: FEA4AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA79A second address: FEA7A4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD5DD2E30ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEA7A4 second address: FEA7AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEB095 second address: FD3BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD5DD2E30F3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov cl, D1h 0x00000012 lea eax, dword ptr [ebp+1247FA8Bh] 0x00000018 mov edi, esi 0x0000001a push eax 0x0000001b pushad 0x0000001c jng 00007FD5DD2E30ECh 0x00000022 jne 00007FD5DD2E30E6h 0x00000028 push edx 0x00000029 push edx 0x0000002a pop edx 0x0000002b pop edx 0x0000002c popad 0x0000002d mov dword ptr [esp], eax 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FD5DD2E30E8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a call dword ptr [ebp+122D1BF3h] 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102F28D second address: 102F292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102F292 second address: 102F297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102F297 second address: 102F29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 102F8A9 second address: 102F8B3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD5DD2E30ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103450F second address: 103451A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103451A second address: 1034520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1033FC4 second address: 1034008 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD5DCDD327Eh 0x00000008 jns 00007FD5DCDD3276h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FD5DCDD3280h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d jng 00007FD5DCDD3276h 0x00000023 popad 0x00000024 pushad 0x00000025 push eax 0x00000026 pop eax 0x00000027 push eax 0x00000028 pop eax 0x00000029 push edx 0x0000002a pop edx 0x0000002b push ebx 0x0000002c pop ebx 0x0000002d popad 0x0000002e push eax 0x0000002f je 00007FD5DCDD3276h 0x00000035 pop eax 0x00000036 push ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034D83 second address: 1034DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DD2E30EFh 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD5DD2E30F5h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034DB2 second address: 1034DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034EEB second address: 1034F08 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD5DD2E30E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FD5DD2E30EFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034F08 second address: 1034F1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD327Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034F1F second address: 1034F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034F23 second address: 1034F4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FD5DCDD3276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007FD5DCDD328Bh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FD5DCDD3283h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034F4A second address: 1034F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034F50 second address: 1034F6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD3280h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1034F6A second address: 1034F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1035206 second address: 1035237 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD5DCDD3276h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FD5DCDD327Ah 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 jmp 00007FD5DCDD3286h 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1035237 second address: 103523C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10380E5 second address: 10380FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD3280h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103CDA0 second address: 103CDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jmp 00007FD5DD2E30F8h 0x0000000b je 00007FD5DD2E30E6h 0x00000011 pop esi 0x00000012 jo 00007FD5DD2E30ECh 0x00000018 jl 00007FD5DD2E30E6h 0x0000001e pushad 0x0000001f jnc 00007FD5DD2E30E6h 0x00000025 jnl 00007FD5DD2E30E6h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103F947 second address: 103F94C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103F94C second address: 103F972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007FD5DD2E30EDh 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007FD5DD2E30E6h 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103F972 second address: 103F97E instructions: 0x00000000 rdtsc 0x00000002 je 00007FD5DCDD3276h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 103F97E second address: 103F9A1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD5DD2E3105h 0x00000008 jmp 00007FD5DD2E30F9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104399A second address: 10439C7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD5DCDD327Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD5DCDD3288h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10439C7 second address: 10439D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c ja 00007FD5DD2E30E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10439D9 second address: 10439DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1043CF5 second address: 1043D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DD2E30F0h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEAA5E second address: FEAADC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FD5DCDD3281h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pushad 0x00000012 je 00007FD5DCDD3276h 0x00000018 jmp 00007FD5DCDD327Dh 0x0000001d popad 0x0000001e popad 0x0000001f nop 0x00000020 mov dword ptr [ebp+1246AB8Fh], esi 0x00000026 push 00000004h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007FD5DCDD3278h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 0000001Dh 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 nop 0x00000043 jmp 00007FD5DCDD3281h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push esi 0x0000004c jp 00007FD5DCDD3276h 0x00000052 pop esi 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10440B3 second address: 10440B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10440B9 second address: 10440CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD5DCDD327Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10440CF second address: 10440DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1044210 second address: 1044216 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1049951 second address: 1049971 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007FD5DD2E30E6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD5DD2E30F4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1049971 second address: 1049975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1048D2E second address: 1048D35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1048EAE second address: 1048EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C107 second address: 104C10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C10B second address: 104C117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FD5DCDD3276h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C117 second address: 104C142 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD5DD2E30FBh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD5DD2E30ECh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C486 second address: 104C48C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C48C second address: 104C492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C492 second address: 104C498 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 104C498 second address: 104C4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD5DD2E30F8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10536A0 second address: 10536A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1051706 second address: 1051726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30F0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jl 00007FD5DD2E30E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1051726 second address: 105172A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105172A second address: 1051733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1051733 second address: 1051746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FD5DCDD3276h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1051746 second address: 105174C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 105174C second address: 1051750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1051750 second address: 1051754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1051754 second address: 105175A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1051FF3 second address: 1051FFD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD5DD2E30ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10572EE second address: 1057304 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FD5DCDD327Eh 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007FD5DCDD3276h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057577 second address: 1057591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DD2E30F6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057591 second address: 1057598 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057598 second address: 10575C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FD5DD2E30FCh 0x0000000b jmp 00007FD5DD2E30F6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 js 00007FD5DD2E30E8h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A3E second address: 1057A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DCDD327Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A50 second address: 1057A6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A6C second address: 1057A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A79 second address: 1057A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DD2E30EAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A89 second address: 1057A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A8F second address: 1057A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057A9A second address: 1057AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1057AA3 second address: 1057AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062AEE second address: 1062AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062AF2 second address: 1062AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062AFC second address: 1062B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062B02 second address: 1062B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1062F6F second address: 1062F73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10631F0 second address: 10631FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10631FE second address: 1063204 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10634A6 second address: 10634BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FD5DD2E30F0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10634BF second address: 10634E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD5DCDD3276h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD5DCDD3289h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10634E7 second address: 1063513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD5DD2E30F2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007FD5DD2E30F4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063693 second address: 10636BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FD5DCDD3276h 0x00000009 jnp 00007FD5DCDD3276h 0x0000000f jmp 00007FD5DCDD3288h 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10637EB second address: 10637F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD5DD2E30ECh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1063987 second address: 106398C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106398C second address: 10639A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DD2E30F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10639A3 second address: 10639A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10639A7 second address: 10639AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1064750 second address: 1064758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1064758 second address: 106475E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F273 second address: 106F277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F277 second address: 106F27B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F27B second address: 106F281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F281 second address: 106F292 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30EBh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106F292 second address: 106F296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106ECD9 second address: 106ECE3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD5DD2E30E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106ECE3 second address: 106ECE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106ECE9 second address: 106ECF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD5DD2E30E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106ECF3 second address: 106ECF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 106EE34 second address: 106EE64 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD5DD2E3101h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FD5DD2E30F9h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 js 00007FD5DD2E30F0h 0x00000017 push esi 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 107F593 second address: 107F599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1084CDA second address: 1084CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1084CDE second address: 1084CEE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD5DCDD3276h 0x00000008 jnl 00007FD5DCDD3276h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108E598 second address: 108E5A2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD5DD2E30ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108E42A second address: 108E441 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD3281h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 108E441 second address: 108E447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1094DB7 second address: 1094DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1095098 second address: 109509E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109509E second address: 10950A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10950A2 second address: 10950B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10950B1 second address: 10950D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jmp 00007FD5DCDD3289h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10950D2 second address: 10950DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10950DA second address: 10950E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1095211 second address: 1095226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FD5DD2E30EDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109536D second address: 109538A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DCDD3287h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109538A second address: 10953CF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD5DD2E30E6h 0x00000008 jmp 00007FD5DD2E30F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007FD5DD2E30ECh 0x00000015 jns 00007FD5DD2E30E6h 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e jnp 00007FD5DD2E30F2h 0x00000024 jmp 00007FD5DD2E30ECh 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10953CF second address: 10953D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD5DCDD3276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109968E second address: 109969A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109969A second address: 109969E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 109969E second address: 10996A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A0736 second address: 10A073D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10A238A second address: 10A23A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD5DD2E30F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B1280 second address: 10B1297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD5DCDD3283h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B3D91 second address: 10B3D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FD5DD2E30E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B3D9F second address: 10B3DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD5DCDD327Eh 0x0000000a pushad 0x0000000b jnc 00007FD5DCDD3276h 0x00000011 js 00007FD5DCDD3276h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FD5DCDD3284h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B3F3A second address: 10B3F54 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD5DD2E30F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B3F54 second address: 10B3F58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10B7AD6 second address: 10B7AE0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD5DD2E30E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BEE18 second address: 10BEE1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BEE1C second address: 10BEE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BEE24 second address: 10BEE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FD5DCDD3276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE1B8 second address: 10BE1BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE1BC second address: 10BE1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE1C4 second address: 10BE1CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FD5DD2E30E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE1CE second address: 10BE1D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE71C second address: 10BE722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE722 second address: 10BE741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DCDD3283h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FD5DCDD3276h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE741 second address: 10BE745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE8AB second address: 10BE8AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BE9FA second address: 10BEA1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD5DD2E30F9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10BEB7B second address: 10BEB85 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD5DCDD3276h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C2252 second address: 10C2258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C2258 second address: 10C225E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C1C88 second address: 10C1CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jmp 00007FD5DD2E30F2h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007FD5DD2E30E8h 0x00000017 push ebx 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C7151 second address: 10C7155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C7155 second address: 10C7159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C7159 second address: 10C7163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C7163 second address: 10C718F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD5DD2E30EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FD5DD2E30F7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C718F second address: 10C7195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10CBF12 second address: 10CBF22 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD5DD2E30E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C2103 second address: 10C2109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 10C2109 second address: 10C2116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 ja 00007FD5DD2E30E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FEE43F second address: FEE445 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E3DC9A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E3DD8E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1074D7C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E40627 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4C80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6E20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB93A6 rdtsc

0_2_00FB93A6

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 772

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01017FEC GetSystemInfo,VirtualAlloc,

0_2_01017FEC

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB93A6 rdtsc

0_2_00FB93A6

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E3B948 LdrInitializeThunk,

0_2_00E3B948

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: drProgram Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0100EE47 GetSystemTime,GetFileTime,

0_2_0100EE47

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	261 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561601
Start date and time:	2024-11-23 21:58:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.463187557611912
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'756'608 bytes
MD5:	d27d27fdfe69910143acccb36fa235c7
SHA1:	54ebcd4e030705bfc7852765fa39c354710ace21
SHA256:	227bd583a8e440e3e3d0eefa2941011e2b17d9b23cb35122a5131a455ed2e3d1
SHA512:	83d986ceb419009111503094285574907fa5d959c2fe72c5dc1bab7e57c95f5b40e82fb78d10914dcc5771e8f84dab9d41bc459132339c389b1e0c5cc6704aad
SSDEEP:	24576:3lmTlVY6Leq/bQlnoq8rYXkPv0w/D1gU8+kf62Smh8eEVBqa7EAK9QdpnSW1+kKe:3lilVYw1UOAXimkzga7DdD+kKGcF
TLSH:	FBD53AE2B50975CFD48B2374942BCD99995D02F94B1809D3B82CB4BAFE63CD112F6D28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$.............. ...`....@.. ...............................*...`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6a8000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD5DD2DE19Ah
pmaxsw mm5, qword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
inc ecx
push bx
dec esi
dec ebp
das
xor al, 36h
dec edi
bound ecx, dword ptr [ecx+4Ah]
dec edx
insd
push edi
dec eax
dec eax
jbe 00007FD5DD2DE202h
push esi
dec edx
popad
je 00007FD5DD2DE1FBh
push edx
dec esi
jc 00007FD5DD2DE20Ah
cmp byte ptr [ebx], dh
push edx
jns 00007FD5DD2DE1D7h
or eax, 49674B0Ah
cmp byte ptr [edi+43h], dl
jnc 00007FD5DD2DE1DDh
bound eax, dword ptr [ecx+30h]
pop edx
inc edi
push esp
push 43473163h
aaa
push edi
dec esi
xor ebp, dword ptr [ebx+59h]
push edi
push edx
pop eax
je 00007FD5DD2DE1E7h
xor dl, byte ptr [ebx+2Bh]
popad
jne 00007FD5DD2DE1DCh
dec eax
dec ebp
jo 00007FD5DD2DE1D3h
xor dword ptr [edi], esi
inc esp
dec edx
dec ebp
jns 00007FD5DD2DE1E0h
insd
jnc 00007FD5DD2DE200h
aaa
inc esp
inc ecx
inc ebx
xor dl, byte ptr [ecx+4Bh]
inc edx
inc esp
bound esi, dword ptr [ebx]
or eax, 63656B0Ah
jno 00007FD5DD2DE1E8h
push edx
insb
js 00007FD5DD2DE201h
outsb
inc ecx
jno 00007FD5DD2DE1E2h
push ebp
inc esi
pop edx
xor eax, dword ptr [ebx+36h]
push eax
aaa
imul edx, dword ptr [ebx+58h], 4Eh
aaa
inc ebx
jbe 00007FD5DD2DE1DCh
dec ebx
js 00007FD5DD2DE1D3h
jne 00007FD5DD2DE1C1h
push esp
inc bp
outsb
inc edx
popad
dec ebx
insd
dec ebp
inc edi
xor dword ptr [ecx+36h], esp
push 0000004Bh
sub eax, dword ptr [ebp+33h]
jp 00007FD5DD2DE1ECh
dec edx
xor bh, byte ptr [edx+56h]
bound eax, dword ptr [edi+66h]
jbe 00007FD5DD2DE1CAh
dec eax
or eax, 506C720Ah
aaa
xor dword ptr fs:[ebp+62h], ecx
arpl word ptr [esi], si
inc esp
jo 00007FD5DD2DE203h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	4e1c21d386d373cf3cebfa726ee2d7e2	False	0.9342447916666666	data	7.816173520616023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wtynnlzu	0xa000	0x29c000	0x29b000	bf76095f7981b681bf3cee09c4ab912b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mwtvpzpt	0x2a6000	0x2000	0x400	cc9bb2ee6f6ece4b1404cca670de27e6	False	0.7861328125	data	6.185648814791688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2a8000	0x4000	0x2200	53f57273920affa0f33b6b7ee3345912	False	0.38419117647058826	DOS executable (COM)	4.123822855835285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	15:59:06
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe30000
File size:	2'756'608 bytes
MD5 hash:	D27D27FDFE69910143ACCCB36FA235C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	3.5%
Signature Coverage:	4.6%
Total number of Nodes:	347
Total number of Limit Nodes:	12

Executed Functions

Function 01017FEC Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11495FEC), ref: 01017FF8
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 01018059

Memory Dump Source

Source File: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 1ecb88816f815db947cf8a4224a80625ea6d51a0de4dc92c82b0eb7c4adb6731
Instruction ID: 43b0823591755049802243525c5fe718b6ef8464aee5cb1dc6e4c4cefdf7f451
Opcode Fuzzy Hash: 1ecb88816f815db947cf8a4224a80625ea6d51a0de4dc92c82b0eb7c4adb6731
Instruction Fuzzy Hash: B74101B2A40206EFE725DF658C45B96B7ECFB08741F0040ABA687CE499D775D2D48BA0

Function 00FB93A6 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00FB93A6

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5b2bfa499a9e1e15dab0c08037b5d5497988050433ca9a8fffa9ecd543888913
Instruction ID: 0e03329b91640ee1faa38a968ede2a6e8f670e5469fcae5cd5b2405272bc7a6e
Opcode Fuzzy Hash: 5b2bfa499a9e1e15dab0c08037b5d5497988050433ca9a8fffa9ecd543888913
Instruction Fuzzy Hash: B5310AB610C600AFE711AE09E941BBAFBE9EFC4720F15482DE6D4C2610E73585449B67

Function 00E3B948 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b98395c024eb6f67542a71058f7f52ab2c4e70531a1175421c51a60996f077
Instruction ID: 1aec5bca082dd0336faecc6d1faac1a67e58d2eb5bd09e668386935fab35a32e
Opcode Fuzzy Hash: c2b98395c024eb6f67542a71058f7f52ab2c4e70531a1175421c51a60996f077
Instruction Fuzzy Hash: 92515772E04A158FDB248F2888093DABFA1EB44314F2A6035CE47BB759D77A5C50C388

Function 0100C3CD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 0100C4DE
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0100C4F2

Strings

.exe, xrefs: 0100C439
.dll, xrefs: 0100C415
1002, xrefs: 0100C4A8

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: 6b131211d520ca0029173d3b0c5e8db2d06b643d1f49da6c487318f3a4fb7940
Instruction ID: ba5eb2fbec0b23f3ad5b2bddc6b20cde79bfd8ef806e17dfdddf8039d26165a8
Opcode Fuzzy Hash: 6b131211d520ca0029173d3b0c5e8db2d06b643d1f49da6c487318f3a4fb7940
Instruction Fuzzy Hash: 4C31D431504206EFFF17AF54DA00AFD7BB5FF28310F0282A9E986560E0CB3099A0DB51

Function 01018A18 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.exe, xrefs: 01018B7E
.exe, xrefs: 01018B43, 01018B89, 01018B54, 01018B67

Memory Dump Source

Source File: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: .exe$.exe
API String ID: 0-1392631246
Opcode ID: e986aabb6968e2238c9226a6d387394c1c57473e1dd964a4b40566a17dfccc8d
Instruction ID: c2f4a0645e3f4c4594b5d48430dd15676794d6055f91b5dc154ca743add1df24
Opcode Fuzzy Hash: e986aabb6968e2238c9226a6d387394c1c57473e1dd964a4b40566a17dfccc8d
Instruction Fuzzy Hash: 444196B1900206EFEB65CF18C884BAD7BF4FF01314F54C0D6E992AB595C379AA90CB55

Function 0100C8D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,0100C865,?,00000000,00000000), ref: 0100C990
GetModuleHandleA.KERNEL32(00000000,?,?,?,0100C865,?,00000000,00000000), ref: 0100C99E

Strings

.dll, xrefs: 0100C906

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: ace632dbd60671d5729d0500653a8815d7f6112de544e9385189008227a96e76
Instruction ID: 3e801e2e4f9cd6213a82823049d5780f8d7ca84c599762100c70e37148c35db5
Opcode Fuzzy Hash: ace632dbd60671d5729d0500653a8815d7f6112de544e9385189008227a96e76
Instruction Fuzzy Hash: F7117C30205206EFFF72AF68CA0C79C7AB1BF10345F0003E6A986848E4C7B191E4DA92

Function 0100F22D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00C85174,-11495FEC), ref: 0100F2A6
GetFileAttributesA.KERNEL32(00000000,-11495FEC), ref: 0100F2B4

Strings

@, xrefs: 0100F259

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: cae9ffe982d3c6effcfb33a53bcf124b040ade239f27fe3be6efb88e3af1a7b7
Instruction ID: 8c87a145edc1b7520b5ec98e0bf364b40f9ea40f1ee3e94f9c893848a115fe0b
Opcode Fuzzy Hash: cae9ffe982d3c6effcfb33a53bcf124b040ade239f27fe3be6efb88e3af1a7b7
Instruction Fuzzy Hash: CF016D79604606EBFF73AF68C80879CBEB0BF50344F004165D982650D4C7B056D5EA40

Function 0100B2AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 0100B30F

Strings

\\?\, xrefs: 0100B36A

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: e7f119b1296d6eb8089f9834a7278e39dbba795d070825d9f2a2361792f7d4ba
Instruction ID: f6369d4b1720e19294a6693200e74a585928ab5a8e686b2b5bc35cb424318fa3
Opcode Fuzzy Hash: e7f119b1296d6eb8089f9834a7278e39dbba795d070825d9f2a2361792f7d4ba
Instruction Fuzzy Hash: 2231F97560020AFFEF639F98CD09B9EBBB6BF04705F005195EA41A50A0D7729661DB50

Function 0100C9BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100ACFA: GetCurrentThreadId.KERNEL32 ref: 0100AD09

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 0100CA20

Strings

.dll, xrefs: 0100C9DD

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentHandleModuleThread
String ID: .dll
API String ID: 2752942033-2738580789
Opcode ID: 99a601249024abc6d61588bf842f5909427c91ee90d6723b66865509ff594639
Instruction ID: fcd3f1785c42f16885ba3752fcc5c81ab44d3b231d7eec5a19707373fc5ac825
Opcode Fuzzy Hash: 99a601249024abc6d61588bf842f5909427c91ee90d6723b66865509ff594639
Instruction Fuzzy Hash: 3FF09071200306EFFF12EF58D948BAD7BA4BF69344F118291FE4686096D730C591EA22

Function 0100F449 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00C85174,?,?,-11495FEC,?,?,?,-11495FEC,?), ref: 0100F4FB

Part of subcall function 0100F3FB: IsBadWritePtr.KERNEL32(?,00000004), ref: 0100F409

CreateFileA.KERNEL32(?,?,?,-11495FEC,?,?,?,-11495FEC,?), ref: 0100F51B

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: a3f08e88bca2a22455cde76d2c768e689ae70fd5956dc8aad51a0ebb20e10e5f
Instruction ID: c0a5ca0ad87655f7acb1997f4d381210fbe8c6464e528976454a124fbe9f8bee
Opcode Fuzzy Hash: a3f08e88bca2a22455cde76d2c768e689ae70fd5956dc8aad51a0ebb20e10e5f
Instruction Fuzzy Hash: 9311D33110410BFBEF23AF94D908BEE3E72BF18245F058155BA86644A0CB7685A5FB91

Function 0100EDB5 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100ACFA: GetCurrentThreadId.KERNEL32 ref: 0100AD09

GetCurrentProcess.KERNEL32(-11495FEC), ref: 0100EDC2
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100EE28

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessThread
String ID:
API String ID: 3748180921-0
Opcode ID: dbe660a94eb75682d5aa73889598f92761cf57fb0683c696f0d5d9611a7189a4
Instruction ID: e56f86c15591f873e429bdc32641841da29a96c08578d9c7fd40d69c03c5cce4
Opcode Fuzzy Hash: dbe660a94eb75682d5aa73889598f92761cf57fb0683c696f0d5d9611a7189a4
Instruction Fuzzy Hash: C9012C3210014BEBAF536FA4DC08CDE3B66BFA8350F044911F98661094C735C5A1DBA1

Function 00FBC807 Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c43fb1a53b24f31ef32efc85a57bfa6c269cecc63691c656929f324dd47d4e
Instruction ID: eb81836c9e30c9b28b408bbd68722a403f03d8c5781689797b829bce0a32b68b
Opcode Fuzzy Hash: 16c43fb1a53b24f31ef32efc85a57bfa6c269cecc63691c656929f324dd47d4e
Instruction Fuzzy Hash: 8641F4B324C249AEF301CE629D24BFF7B69E7C2730F35451AF482D6842D2A50D056AB5

Function 00FBCB73 Relevance: 1.7, APIs: 1, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38c60dd37e63f43dcb194fa445354df8a5f5e9d10154646fdaa2187e92afe89
Instruction ID: 65d4d3c7a6c00f105f00bd37f9fb3669c1d6ec9a5795fdcb7e733d1d89a196da
Opcode Fuzzy Hash: e38c60dd37e63f43dcb194fa445354df8a5f5e9d10154646fdaa2187e92afe89
Instruction Fuzzy Hash: 9931E5F714C2856EE302CA52AE50EFB3FADDBE2730B20445BF449DA142D2550D09BAB5

Function 00FBCB9A Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3972156fbe5091240d3e97067964df71db7241b5760602094047790eace7b4e
Instruction ID: d7a370a68267f58ca3b5e17d9d8aa83c302a27646149fc286b73e949eb426a42
Opcode Fuzzy Hash: d3972156fbe5091240d3e97067964df71db7241b5760602094047790eace7b4e
Instruction Fuzzy Hash: EF3108F710C2852EE202CA52AD50BFB3FADDBE2730B30445BF445DA542D2550D087AB4

Function 00FB94E0 Relevance: 1.6, APIs: 1, Instructions: 127
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00FB94E0

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 78bceb63841a2aedc01fd317b7a722f32880276a8b247c9f4e992be0853ff4e4
Instruction ID: a14e11e84843fd6fadb533b0d718d000848a236585cfb0017505b60bce6059c9
Opcode Fuzzy Hash: 78bceb63841a2aedc01fd317b7a722f32880276a8b247c9f4e992be0853ff4e4
Instruction Fuzzy Hash: DF31A0B250C200EFE716AF1ADC816BEFBE9FF84320F25482DEAC583210D7715941AA57

Function 00FBCBB4 Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 356eeb0c08ed6a0391f3fad860804d77b23c80e7b737dc99134589a535f08d31
Instruction ID: 7a434ee95925fb350e4de432a0c019f42f8810314023f54235f8a648f9ef1a39
Opcode Fuzzy Hash: 356eeb0c08ed6a0391f3fad860804d77b23c80e7b737dc99134589a535f08d31
Instruction Fuzzy Hash: 852139F710C2857EE201CA526E50EFB3FADE6E1730B30845BF44ADA542D2510D087AB4

Function 00FBCBD2 Relevance: 1.6, APIs: 1, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f44bb41b0a07d62ebeb138832491e0e66100bfe62314cb60e47bbbb1b228f632
Instruction ID: 21f4f7311379442a901e93ed9f021ecab37d08efd660b1ddd78d36c5991ac1c5
Opcode Fuzzy Hash: f44bb41b0a07d62ebeb138832491e0e66100bfe62314cb60e47bbbb1b228f632
Instruction Fuzzy Hash: 51214BF714C2856FE202CA56AE20AFB3FADDBE1730B30445BF449CA082D2510D08BBB4

Function 00FBC8FF Relevance: 1.6, APIs: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,A476C47B,00000003,00000000,00000003), ref: 00FBC9D6

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f788bbf65ff0cdace25356105b46b316ad19f484ea5155212260f2e270659d8c
Instruction ID: 6b2fe271bb64335bf4060c36f1a051f9d384455cb83b2da306fd464914bc3c6e
Opcode Fuzzy Hash: f788bbf65ff0cdace25356105b46b316ad19f484ea5155212260f2e270659d8c
Instruction Fuzzy Hash: 2131E7B354C2966FE701CE724D246EB7F6DDB82720B29455BE481D7442D3544C0AABB1

Function 0100D434 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 0100D4E9

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8241524cf4a5fb44bf5d9c1123a71919b98f4653047bddf7b41239a41b4a16cd
Instruction ID: 3d2659bb2be04334dd56af738d3037794409e93de44d93d958c12a674f691c19
Opcode Fuzzy Hash: 8241524cf4a5fb44bf5d9c1123a71919b98f4653047bddf7b41239a41b4a16cd
Instruction Fuzzy Hash: E6315E71600205FBFB229FA8DC44F9DBBB8EF05319F1082AAF955AB1D1C771A551DB20

Function 00FBCBEF Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37c131cade296630f86c289138b4d3e40f3ab35be7531ef5619abb3934591516
Instruction ID: d51eb783840f229bf8963505fd46cee6f9e9f2e6b9fe25a03267f27b0f0852d5
Opcode Fuzzy Hash: 37c131cade296630f86c289138b4d3e40f3ab35be7531ef5619abb3934591516
Instruction Fuzzy Hash: 352129F714C2856EE206CB52AE50AFB3FA9EBF1730B30445BF449CA582D2551D09BAB4

Function 00FBCC00 Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: def4b016b44634fb55464aaa06ff36e1c5bb27875f1768a708dcd7ca6fc8616f
Instruction ID: e386f94ff475be7e2227d20298bac15b3cc889d7aa66d0166d7e63989ab4855c
Opcode Fuzzy Hash: def4b016b44634fb55464aaa06ff36e1c5bb27875f1768a708dcd7ca6fc8616f
Instruction Fuzzy Hash: F8213BF710C2852FE206CB56AD50AFB7FA9EAE2730B30445BF449CA582D2511D09BAB5

Function 0100CC50 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0100CCD2

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7ca9e56baf14181f7e828de91e3c0ac93904d6475c207d027066e3defa5d49c8
Instruction ID: 57e9cc5960cdb5c0842811838ce79cf00c89fb59ea36ef117f15a5266fa5af74
Opcode Fuzzy Hash: 7ca9e56baf14181f7e828de91e3c0ac93904d6475c207d027066e3defa5d49c8
Instruction Fuzzy Hash: 5D31C171600209BFFB329F68DD45F997BB8EF05728F2043AAF655AA1D1D3B1A181CB14

Function 00FBCA1D Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,A476C47B,00000003,00000000,00000003), ref: 00FBC9D6

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 984f415532ba9e1f78be851e34ebc21b2cb2baf0854ed8a5420636c7aded3a72
Instruction ID: ec5adc1576e6a8081997ee7d3c0428c2c67785c0f9bccdb5b549ce9d489a8ad6
Opcode Fuzzy Hash: 984f415532ba9e1f78be851e34ebc21b2cb2baf0854ed8a5420636c7aded3a72
Instruction Fuzzy Hash: DE11297654D3955FD7029B718C346CA7FB8EB43720F29059BE0C1DB4D3D2680D0AA7A2

Function 01018765 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 01018812

Memory Dump Source

Source File: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 6d85cca73bd401de08deedfdda70b0e2770e43ff10670f8c34c6d256c3b55f3b
Instruction ID: 2b3eca5222e70d8afd1b2ab949757290d5b10f028265b122d0d52794b5cf4644
Opcode Fuzzy Hash: 6d85cca73bd401de08deedfdda70b0e2770e43ff10670f8c34c6d256c3b55f3b
Instruction Fuzzy Hash: 8E119376F016269FEB715A089C48BEA77ACFF04754F10C0E7ED85A6049D778DA808AA1

Function 00FBC99E Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,A476C47B,00000003,00000000,00000003), ref: 00FBC9D6

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 967080736f3159b90994112207aa43e16756a03c08bef140f2aef56bb4844b2a
Instruction ID: 4b1b89912a0a86539c9bdcbbf66425045e9c164eab803c57e434a755d80efe08
Opcode Fuzzy Hash: 967080736f3159b90994112207aa43e16756a03c08bef140f2aef56bb4844b2a
Instruction Fuzzy Hash: F011E77314C2955FD7019AB549247DA7FB8EB83730F29049BE0C1DB482D2550D0AA7B2

Function 04C80D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04C80DCD

Memory Dump Source

Source File: 00000000.00000002.1913463889.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c80000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: ec87e5daf1747f9e3d058165060c6099896fb4e6ed08e82f545dcbacb74f8051
Instruction ID: 4390d9db4289c5249fd0e7a4fffb883fa4cbd9d3a76b14c80a4798e244a2862a
Opcode Fuzzy Hash: ec87e5daf1747f9e3d058165060c6099896fb4e6ed08e82f545dcbacb74f8051
Instruction Fuzzy Hash: 132149B6C01218DFCB10DF99D484BDEFBF1EB88320F15812AD908AB204D734A544CFA5

Function 00FBC9AA Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,A476C47B,00000003,00000000,00000003), ref: 00FBC9D6

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4095034e02c8f5b010e82e37adadd97989c8ba88c00b2f3ef3a347744896adc5
Instruction ID: 9353c577032be2a3ca78ccfedaed8d27518f21bde0daaa56d3ed4e44e1d2944a
Opcode Fuzzy Hash: 4095034e02c8f5b010e82e37adadd97989c8ba88c00b2f3ef3a347744896adc5
Instruction Fuzzy Hash: DB11066218C3965FD7019AB54C247DA7FB8EB43730F29049BE0C1DB483D2540D49ABA2

Function 04C80D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04C80DCD

Memory Dump Source

Source File: 00000000.00000002.1913463889.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c80000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 6138cfc2b33f69f07d33747f086531cb652015e477ca6c77b6122afd26e110c1
Instruction ID: 38043e8351341c4461da0b0faed94071f702542ecd772ccbfc11067265b48812
Opcode Fuzzy Hash: 6138cfc2b33f69f07d33747f086531cb652015e477ca6c77b6122afd26e110c1
Instruction Fuzzy Hash: E02127B6C01218DFCB50DF9AD885BDEFBF5EB88324F15812AD908AB204D734A544CFA5

Function 00FBC9B8 Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000,A476C47B,00000003,00000000,00000003), ref: 00FBC9D6

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e60d414b26e5a13a2242c2ed03e6d4facbdb6c763c50158eb2abeb55c5145345
Instruction ID: ea59fbffa73242fc81b1dcedca56660ed16e9a95139fff460c82d5bb828c82f5
Opcode Fuzzy Hash: e60d414b26e5a13a2242c2ed03e6d4facbdb6c763c50158eb2abeb55c5145345
Instruction Fuzzy Hash: 0111067258C3956FD7029B7588346DABFB8EB43730F29049FE0C19B483D2640D0597A6

Function 04C81509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04C81580

Memory Dump Source

Source File: 00000000.00000002.1913463889.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c80000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: c150634bdfc70112e0afdb63a9fe6590e80c65e201bead8f416f93dd69fd40a1
Instruction ID: 37f57d4bfce75fe9e0178dc98b5138e4cb813c794f5eb6042d3f9adfa3ea52bb
Opcode Fuzzy Hash: c150634bdfc70112e0afdb63a9fe6590e80c65e201bead8f416f93dd69fd40a1
Instruction Fuzzy Hash: D72114B5900249CFDB10DF9AD584BDEFBF4AB48324F14802AE558A7250C738A644CFA5

Function 04C81510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04C81580

Memory Dump Source

Source File: 00000000.00000002.1913463889.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c80000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 975e0f7d62c5902f8f3f3597dfecf9740527a6387f90f5bbdab271a676b9e615
Instruction ID: a91a8d0c0b5deb593915c20465b0944b7019b83461236ba6280b920abd427ee5
Opcode Fuzzy Hash: 975e0f7d62c5902f8f3f3597dfecf9740527a6387f90f5bbdab271a676b9e615
Instruction Fuzzy Hash: C21126B1D00249CFDB10DF9AD584BDEFBF4EB48324F14802AE558A3250D778A644CFA5

Function 00FBCC60 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 891ecd7896187757934814d6bc21c23637108a2ccd87df51fad5edc44b0657fa
Instruction ID: 8527bed3ed33e38e8711aad6fb69a079731f93f8caef9d4429e2ff144f2b6531
Opcode Fuzzy Hash: 891ecd7896187757934814d6bc21c23637108a2ccd87df51fad5edc44b0657fa
Instruction Fuzzy Hash: 260126F200C28A5FC7068F62DC506FB3FA4EBA2370B10024BE95ADE4D2D2511C04FBA5

Function 0100FF81 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0100ACFA: GetCurrentThreadId.KERNEL32 ref: 0100AD09

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11495FEC), ref: 01010008

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentFileThreadView
String ID:
API String ID: 1949693742-0
Opcode ID: 231c5699fb84bef75258f49ce37ca5987f560146e901926f4c6ad15c73b4e42f
Instruction ID: ce00ace6f52bdeb4e1e5e763effd0efeb5512cd0b3b3a5f535d6fc1379224b48
Opcode Fuzzy Hash: 231c5699fb84bef75258f49ce37ca5987f560146e901926f4c6ad15c73b4e42f
Instruction Fuzzy Hash: E511A83250024BEBEF636FA4DD08DAE3B66BF69341F044515FA8656068C736C4B1EBA1

Function 0100FD69 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 579233f41283caa98cbe4d82a2446929ac8ecd6bc41059abf607b07b420d7799
Instruction ID: 3edcef3905885d0dd99ebe2f38705e7c4feb6e1c2a4d5df0ae78300dc9da0f93
Opcode Fuzzy Hash: 579233f41283caa98cbe4d82a2446929ac8ecd6bc41059abf607b07b420d7799
Instruction Fuzzy Hash: AE11273220020BEFFF63AFA8E808EDE3BB6BF54344F044462B995460A5C735C561EB61

Function 00FBCC81 Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fba99f48d4f181e4b1da87d400b49890f7498c028880bd7f4742fb18b0135a6
Instruction ID: 943c09bff7c7b7d32ba62f1cf9deaa52c5043be248a587eddce8ab2984eed05a
Opcode Fuzzy Hash: 0fba99f48d4f181e4b1da87d400b49890f7498c028880bd7f4742fb18b0135a6
Instruction Fuzzy Hash: DC0128F200D2C65FC706DF12C8505EB3F60BF62370B14114AD55ACE4D2D2541C04EF95

Function 04C81301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04C81367

Memory Dump Source

Source File: 00000000.00000002.1913463889.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c80000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 4ab8a1fe7e83091da21c9a7c171b1584bcf3771a63824f1b43c7ea627cdcca11
Instruction ID: 69377414816541b468f1efb3fbed48e59f36272ed3b1b012a70e2c02feebfd9a
Opcode Fuzzy Hash: 4ab8a1fe7e83091da21c9a7c171b1584bcf3771a63824f1b43c7ea627cdcca11
Instruction Fuzzy Hash: 491163B1900209CFDB10DF9AC444BEEFBF4EF48324F24842AD568A3240C738A984CFA5

Function 04C81308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04C81367

Memory Dump Source

Source File: 00000000.00000002.1913463889.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c80000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 24012f9d2e4beb08adb35910aa9acde405fc6f8751ed52f7bf1a0beae5ddc9fe
Instruction ID: 8b4994cae6cd986ff67dd0cb72525c7fe5e64da8b06e7aabce297c388bbf9c6c
Opcode Fuzzy Hash: 24012f9d2e4beb08adb35910aa9acde405fc6f8751ed52f7bf1a0beae5ddc9fe
Instruction Fuzzy Hash: 0E1145B1800249CFDB10DF9AC545BDEFBF8EB48324F24842AD558A3250C778A984CFA5

Function 00FBCC97 Relevance: 1.5, APIs: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 13eb1081141795a8a0c2bd7121ab62a05861135f6cecd76ed4ba6b05864aefb6
Instruction ID: 3d1054e77c834fdfc30fcd0c77c1ecf298b8a249ecc740c9ce8b82fdc12e1484
Opcode Fuzzy Hash: 13eb1081141795a8a0c2bd7121ab62a05861135f6cecd76ed4ba6b05864aefb6
Instruction Fuzzy Hash: 7D01D6B200D2CA5FC70ADF66D8900EB7F60FE66330714128AD4AADE592C6251C48EF95

Function 0100F64D Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0100ACFA: GetCurrentThreadId.KERNEL32 ref: 0100AD09

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11495FEC,?,?,0100D37C,?,?,00000400,?,00000000,?,00000000), ref: 0100F6B9

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentFileReadThread
String ID:
API String ID: 2348311434-0
Opcode ID: bc9169d40f2eb4c6494af89c0874b158a6efee924c18eb6da2a152816d03c4e2
Instruction ID: 0eb4f4a99020d2c41fe9ce0601978ed0bb084cd1af94e30c7e4b0d6c158601c2
Opcode Fuzzy Hash: bc9169d40f2eb4c6494af89c0874b158a6efee924c18eb6da2a152816d03c4e2
Instruction Fuzzy Hash: 82F01D3220010BEFEF13AFA8DD08DDE3F66AFA9240F054112B686560B4C735C4A1EB61

Function 00FBCCBA Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2cf2a4fbbee5eed1a66983da3d65e73baccf8379a06cfe8fbe503f7c20c4a441
Instruction ID: 65512f3e8479523dfc8edefc699d5aad05ace678e9bbd52a4fab3cf4f3896e2c
Opcode Fuzzy Hash: 2cf2a4fbbee5eed1a66983da3d65e73baccf8379a06cfe8fbe503f7c20c4a441
Instruction Fuzzy Hash: 33F0C2B600E28A5FC70BEF65C8A00DB3F61AE62371304129AD866DE4D3D6152C18EFA1

Function 00FBCCE7 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(2D39A190), ref: 00FBCD00

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 646ef1aa028232b14443203ae11f4435204f06eef1fc24fdba8cc7c57f70bfab
Instruction ID: f9d8b627d31069e425e218b64b3428bc570333ca58294bc7ce93a0a13b790619
Opcode Fuzzy Hash: 646ef1aa028232b14443203ae11f4435204f06eef1fc24fdba8cc7c57f70bfab
Instruction Fuzzy Hash: CEE0E5B104E2C95FC70B9F34DCA14AB7FA4AF92365748179EC4A6CE0D3C5251D14CB21

Function 0100AECB Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 0100AF2F

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 75b6c73385aeafe28c8a577af7bc7fa716ac8542dfabc74ae1791f5a3091aa77
Instruction ID: f6f49c031cd925bc57bd72fab99c9619051633c77b8b640e1fc095a21789aadb
Opcode Fuzzy Hash: 75b6c73385aeafe28c8a577af7bc7fa716ac8542dfabc74ae1791f5a3091aa77
Instruction Fuzzy Hash: A001E87260420AFFEF12AFA4DC05EDEBFB6FF58340F0051A5A505A50A0D7369A61DF60

Function 0101838F Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,0101838B,?,?,01018091,?,?,01018091,?,?,01018091), ref: 010183AF

Memory Dump Source

Source File: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 61f061549425fac86a6a116c3f6f664c8f7f999cd76e087d454e9b5e5fb7b352
Instruction ID: aa42ef23a9f9ee672f0dc50862a59a6aa42d9a1e8aed3a38dfd28b1fbd255c7f
Opcode Fuzzy Hash: 61f061549425fac86a6a116c3f6f664c8f7f999cd76e087d454e9b5e5fb7b352
Instruction Fuzzy Hash: B6F08CB1900209EFE7658F18C904B99BFE4FF44761F10C0AAF68B9B5A5D3B5A4C0CB90

Function 0100DA4E Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 0100ACFA: GetCurrentThreadId.KERNEL32 ref: 0100AD09

CloseHandle.KERNELBASE(0100D411,-11495FEC,?,?,0100D411,?), ref: 0100DA8C

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseCurrentHandleThread
String ID:
API String ID: 3305057742-0
Opcode ID: 185ea5185c79c39ac8fab08a05ec9ca6c13b501ae7b13ac09103f0a0c224839a
Instruction ID: a303b751e1a11b39b4622ca02955c92a06fc754f416a8206b788bba56e4bc31e
Opcode Fuzzy Hash: 185ea5185c79c39ac8fab08a05ec9ca6c13b501ae7b13ac09103f0a0c224839a
Instruction Fuzzy Hash: 1BE04F66304647EBFE237BF8D808DCE7B69AFF6245F014222A487860C4DA24C1D2D371

Function 0100CB13 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,0100AB99,?,?), ref: 0100CB19

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b248f07ff8e39a265946f1e89b6533051184a34f1c1d9ce6ea91a35fcf1b3045
Instruction ID: bb461c0e72417a4e0026efe6bcbc4f8af0fd554ff4a5fa4d3aaca3675608308a
Opcode Fuzzy Hash: b248f07ff8e39a265946f1e89b6533051184a34f1c1d9ce6ea91a35fcf1b3045
Instruction Fuzzy Hash: CCB0923110050DBBEF12BF61DC0588DBF69FF2A298B008221BA4A44164CB72E9A1DB95

Non-executed Functions

Function 0100EE47 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0100ACFA: GetCurrentThreadId.KERNEL32 ref: 0100AD09

GetSystemTime.KERNEL32(?,-11495FEC), ref: 0100EE7C
GetFileTime.KERNEL32(?,?,?,?,-11495FEC), ref: 0100EEBF

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Time$CurrentFileSystemThread
String ID:
API String ID: 2191017843-0
Opcode ID: 744bad3d91b5e66f5b21db5116b2c098ab69ac655af7068c147daf36b7be8ebb
Instruction ID: 234b82f73468ba78518f60c671e35637739afe0609b423c9971b6f8f66ab771a
Opcode Fuzzy Hash: 744bad3d91b5e66f5b21db5116b2c098ab69ac655af7068c147daf36b7be8ebb
Instruction Fuzzy Hash: 2C01DA3220058AEFEB226F69DC0CD8E7F76EFD5311F054926F446550A4C736D8A2DA61

Function 00FB5001 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

%S~, xrefs: 00FB57F3

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: %S~
API String ID: 0-3661705871
Opcode ID: 99da8620de08e618dfee813ca7b928d1208e6bc5a3e4188a35d14905d535227d
Instruction ID: bccece5b0a8ef248e6235dc8f3a48adfb8a6394e1cfbbc55852de7bc07474c17
Opcode Fuzzy Hash: 99da8620de08e618dfee813ca7b928d1208e6bc5a3e4188a35d14905d535227d
Instruction Fuzzy Hash: E02239F3A0C2009FE308AE3DDC4567AF7E5EF94720F26892DE5C5D3744EA7598018696

Function 00FB53BB Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

%S~, xrefs: 00FB57F3

Memory Dump Source

Source File: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: %S~
API String ID: 0-3661705871
Opcode ID: e98615969fc04adbab1c43998fa8e915da764541e1cd31a6e10ebb96397a4cfe
Instruction ID: e012b20d7748d412514435fe6efa7ad236296c33d38e6694411c8ef61d750117
Opcode Fuzzy Hash: e98615969fc04adbab1c43998fa8e915da764541e1cd31a6e10ebb96397a4cfe
Instruction Fuzzy Hash: A60206F3A086009FE304AF2DEC8577AB7E5EB94720F168A2DE6C4D3744E63598418792

Function 0100FD05 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 0100FD4C

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: cd4e79fb150db56492ca787b23fba0c4476890d30c32f00f472f89ef67e11739
Instruction ID: ccf54e49c2877e8b384157fbff73f6e709f22c5c06eb0960a0ff0d17d8024283
Opcode Fuzzy Hash: cd4e79fb150db56492ca787b23fba0c4476890d30c32f00f472f89ef67e11739
Instruction Fuzzy Hash: 97F0F83260420AEFDF12DF94D944A8C7BB2FF09318F10852AFA5696161D7759662EF40

Function 0103FCD3 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5a7adbcb810f32beecf6fbae4b23e4350d6172d5523351a299f844183134eb
Instruction ID: 1beeda3b08aab630216c1bcbe293b742fca40e124fdb095de326c61f0b0d0ef5
Opcode Fuzzy Hash: bd5a7adbcb810f32beecf6fbae4b23e4350d6172d5523351a299f844183134eb
Instruction Fuzzy Hash: AF21E1B2D5C60ADBD7087E28D90A67EB7E9EB40610F01092EDAD38A680EA355450C787

Function 0100E37D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 0100ACFA: GetCurrentThreadId.KERNEL32 ref: 0100AD09

Part of subcall function 0100F3FB: IsBadWritePtr.KERNEL32(?,00000004), ref: 0100F409

wsprintfA.USER32 ref: 0100E3C3
LoadImageA.USER32(?,?,?,?,?,?), ref: 0100E487

Strings

%8x, xrefs: 0100E3BE, 0100E3C1
%8x, xrefs: 0100E451, 0100E484

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentImageLoadThreadWritewsprintf
String ID: %8x$%8x
API String ID: 439219941-2046107164
Opcode ID: 856ad168a0feef28de1e0e94f6d9f7deaf0614d50383121de17100170b873a26
Instruction ID: 4049823668ba3ba256a0722e5dd25c4a90a463600000129c9053f36ec814e2f5
Opcode Fuzzy Hash: 856ad168a0feef28de1e0e94f6d9f7deaf0614d50383121de17100170b873a26
Instruction Fuzzy Hash: BD310631A0020AEFDF12DF94DC09EEEBB75FF98300F108125BA12A61A0C7319A61DB51

Function 0100EF4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00C85174,00004020,00000000,-11495FEC), ref: 0100F03B

Strings

@, xrefs: 0100EF7A

Memory Dump Source

Source File: 00000000.00000002.1911791307.0000000001003000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.1911387753.0000000000E30000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911401955.0000000000E32000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911416153.0000000000E36000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911431293.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911447144.0000000000E44000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911460905.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911475389.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911574805.0000000000FA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911592277.0000000000FA5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FB5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911610850.0000000000FC3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911646533.0000000000FC5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911661478.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911675197.0000000000FCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911689522.0000000000FCE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911707805.0000000000FD7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911721673.0000000000FD8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911736777.0000000000FDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911753048.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911772715.0000000000FF2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911807216.0000000001011000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911821627.0000000001012000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911835873.0000000001013000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911849802.0000000001015000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911863994.0000000001016000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911877571.0000000001017000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911894411.0000000001023000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911909990.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911926892.0000000001033000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911944209.000000000103A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911958607.000000000103B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911972911.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1911991214.000000000104E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912005666.0000000001050000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912022277.0000000001051000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912042086.0000000001054000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912061199.000000000105B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912076081.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912170341.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912190652.0000000001066000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912226859.00000000010BD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912242800.00000000010BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912259888.00000000010C6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912293036.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1912307688.00000000010D8000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: a72567246e06775e9c0dda2d81d4894153413d02d63960d429e200d2e8906f7f
Instruction ID: d017d633fda5c69dae652b4081bff6fd6112791fded98cbba025a7477f5d71d3
Opcode Fuzzy Hash: a72567246e06775e9c0dda2d81d4894153413d02d63960d429e200d2e8906f7f
Instruction Fuzzy Hash: D5316DB5504706EFEB26CF44C848B9EBBB0FF48340F008519FA9667690C3B5A6A5DF90

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7072, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7072, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 01017FEC Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 0100C3CD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 01018A18 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Function 0100C8D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 0100F22D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 0100B2AD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 0100C9BC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 0100F449 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 0100EDB5 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 00FBC807 Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Function 00FBCB73 Relevance: 1.7, APIs: 1, Instructions: 151
COMMON

Function 00FBCB9A Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Function 00FB94E0 Relevance: 1.6, APIs: 1, Instructions: 127
libraryCOMMON