Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561645
MD5:	92b22f14f1664cc7bb2f42daf6fd1799
SHA1:	68a767dd4bcd60e310bafd7219749093bd013bc6
SHA256:	85507d05a1da7659f9045ec2d969ddd0de20723fc7422b4985bd392411449fe8
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6280 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 92B22F14F1664CC7BB2F42DAF6FD1799)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B6DDB CryptVerifySignatureA,

0_2_005B6DDB

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2131883440.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E5893		0_2_003E5893
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003DDABA		0_2_003DDABA

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005B1DD0 appears 35 times

Source: file.exe, 00000000.00000002.2265864574.0000000001023000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2842624 > 1048576

Source: file.exe

Static PE information: Raw size of heclofms is bigger than: 0x100000 < 0x2b0000

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W;heclofms:EW;owtxsouk:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2c27b6 should be: 0x2bdb73

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: heclofms
Source: file.exe	Static PE information: section name: owtxsouk
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055B068 push eax; mov dword ptr [esp], 6B946661h	0_2_0055B0C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055B068 push esi; mov dword ptr [esp], ecx	0_2_0055B0E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055B068 push 17F36738h; mov dword ptr [esp], eax	0_2_0055B13C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E135D push ebx; mov dword ptr [esp], ecx	0_2_003E3474
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E135D push ebp; mov dword ptr [esp], eax	0_2_003E4310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D404F push 75D3E45Bh; mov dword ptr [esp], ebx	0_2_005D407B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D404F push 299F4AD7h; mov dword ptr [esp], ebp	0_2_005D40CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E200C push 3F8D8ECEh; mov dword ptr [esp], ebp	0_2_003E2018
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00570061 push eax; ret	0_2_00570070
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055B06F push eax; mov dword ptr [esp], 6B946661h	0_2_0055B0C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055B06F push esi; mov dword ptr [esp], ecx	0_2_0055B0E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055B06F push 17F36738h; mov dword ptr [esp], eax	0_2_0055B13C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00568069 push 15ECE88Dh; mov dword ptr [esp], ebx	0_2_0056BDE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056B019 push 13F0A79Ah; mov dword ptr [esp], edx	0_2_0056B01E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055F03D push esi; ret	0_2_0055F04C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056B03F push 1B554E5Ch; mov dword ptr [esp], ebx	0_2_0056B062
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CA02A push ebx; mov dword ptr [esp], edx	0_2_005CA04E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005CA02A push ebp; mov dword ptr [esp], esi	0_2_005CA071
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066901E push edx; mov dword ptr [esp], ecx	0_2_00669028
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066901E push ebx; mov dword ptr [esp], 4194FCA7h	0_2_00669072
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055D0E1 push ebp; mov dword ptr [esp], eax	0_2_0055D110
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0056A0EC push 266E14DBh; mov dword ptr [esp], eax	0_2_0056A0F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003DD0E8 push ebp; mov dword ptr [esp], ecx	0_2_003DD6A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E20D3 push edi; mov dword ptr [esp], edx	0_2_003E20E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055D0B8 push 32DDE68Ah; mov dword ptr [esp], eax	0_2_0055D0BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00569145 push edi; mov dword ptr [esp], eax	0_2_005693E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003DD125 push 005B671Ah; mov dword ptr [esp], ebp	0_2_003DD12A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E2122 push edx; mov dword ptr [esp], 3A00952Fh	0_2_003E1B5A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E2122 push eax; mov dword ptr [esp], ebp	0_2_003E3C53
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E2122 push edx; mov dword ptr [esp], ecx	0_2_003E3C97
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003E2122 push edi; mov dword ptr [esp], 00000000h	0_2_003E3C9B

Source: file.exe

Static PE information: section name: entropy: 7.818185395285856

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DE275 second address: 3DE294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jmp 00007F3704EAC2C4h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DE294 second address: 3DE2AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3704502855h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DE2AD second address: 3DE2B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 3DE2B1 second address: 3DDB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a popad 0x0000000b push dword ptr [ebp+122D16E1h] 0x00000011 jmp 00007F3704502851h 0x00000016 call dword ptr [ebp+122D1D95h] 0x0000001c pushad 0x0000001d jmp 00007F3704502854h 0x00000022 xor eax, eax 0x00000024 sub dword ptr [ebp+122D1D76h], ebx 0x0000002a mov dword ptr [ebp+122D1D76h], esi 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 cld 0x00000035 cld 0x00000036 mov dword ptr [ebp+122D37E5h], eax 0x0000003c jno 00007F370450284Ch 0x00000042 mov esi, 0000003Ch 0x00000047 mov dword ptr [ebp+122D1E60h], edx 0x0000004d stc 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 ja 00007F370450284Ch 0x00000058 lodsw 0x0000005a mov dword ptr [ebp+122D2673h], edi 0x00000060 jmp 00007F370450284Bh 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 pushad 0x0000006a mov dx, si 0x0000006d sub dl, FFFFFFB8h 0x00000070 popad 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 stc 0x00000076 pushad 0x00000077 mov ecx, dword ptr [ebp+122D38D9h] 0x0000007d push ebx 0x0000007e mov edi, dword ptr [ebp+122D37C9h] 0x00000084 pop eax 0x00000085 popad 0x00000086 nop 0x00000087 push eax 0x00000088 push edx 0x00000089 jmp 00007F370450284Ch 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55BCAA second address: 55BCAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55BCAE second address: 55BCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55AEEE second address: 55AF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3704EAC2B6h 0x0000000a pop esi 0x0000000b pushad 0x0000000c jnc 00007F3704EAC2B6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55AF07 second address: 55AF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3704502846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55B179 second address: 55B184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3704EAC2B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55B184 second address: 55B1AC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3704502848h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F370450284Eh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 ja 00007F3704502870h 0x00000017 push eax 0x00000018 push edx 0x00000019 ja 00007F3704502846h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55B333 second address: 55B339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55EFE1 second address: 55EFE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55EFE7 second address: 55F008 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ecx, dword ptr [ebp+122D3971h] 0x0000000f push 00000000h 0x00000011 xor dword ptr [ebp+122D270Bh], edi 0x00000017 push 83B8D22Ch 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F008 second address: 55F00C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F00C second address: 55F016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F016 second address: 55F0AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704502850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 7C472E54h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F3704502848h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b jmp 00007F370450284Eh 0x00000030 push 00000003h 0x00000032 mov edx, dword ptr [ebp+122D34ACh] 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D1DBDh], ebx 0x00000040 push 00000003h 0x00000042 jmp 00007F3704502859h 0x00000047 call 00007F3704502849h 0x0000004c jmp 00007F3704502850h 0x00000051 push eax 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 push esi 0x00000056 pop esi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F0AF second address: 55F0E4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3704EAC2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F3704EAC2BBh 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F3704EAC2C7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F0E4 second address: 55F0EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F0EA second address: 55F10F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F3704EAC2BCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F10F second address: 55F113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F113 second address: 55F11D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F3704EAC2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F201 second address: 55F214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jo 00007F3704502846h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F214 second address: 55F21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F21A second address: 55F222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F222 second address: 55F29B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 mov si, ax 0x0000000a push 00000000h 0x0000000c mov dword ptr [ebp+122D1DCAh], esi 0x00000012 mov dword ptr [ebp+122D284Ch], ebx 0x00000018 call 00007F3704EAC2B9h 0x0000001d je 00007F3704EAC2C2h 0x00000023 jp 00007F3704EAC2BCh 0x00000029 push eax 0x0000002a jns 00007F3704EAC2D7h 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 pushad 0x00000035 jbe 00007F3704EAC2BCh 0x0000003b jne 00007F3704EAC2B6h 0x00000041 push ebx 0x00000042 pushad 0x00000043 popad 0x00000044 pop ebx 0x00000045 popad 0x00000046 mov eax, dword ptr [eax] 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F29B second address: 55F29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F29F second address: 55F2A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F2A5 second address: 55F339 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F370450284Bh 0x00000011 pop eax 0x00000012 stc 0x00000013 push 00000003h 0x00000015 movzx esi, di 0x00000018 push 00000000h 0x0000001a jnl 00007F370450284Ch 0x00000020 push 00000003h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F3704502848h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c mov di, 339Bh 0x00000040 push 8B8F3EF4h 0x00000045 jmp 00007F3704502858h 0x0000004a add dword ptr [esp], 3470C10Ch 0x00000051 xor dword ptr [ebp+122D294Eh], ebx 0x00000057 lea ebx, dword ptr [ebp+12454EE9h] 0x0000005d mov dword ptr [ebp+122D31E0h], edx 0x00000063 xchg eax, ebx 0x00000064 push edx 0x00000065 pushad 0x00000066 push ebx 0x00000067 pop ebx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F3AA second address: 55F415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 nop 0x00000009 mov edx, dword ptr [ebp+122D1D7Bh] 0x0000000f sbb dx, 16B5h 0x00000014 push 00000000h 0x00000016 mov ecx, 3E70162Fh 0x0000001b push 2A153FA4h 0x00000020 jns 00007F3704EAC2C0h 0x00000026 xor dword ptr [esp], 2A153F24h 0x0000002d pushad 0x0000002e mov edx, dword ptr [ebp+122D1F74h] 0x00000034 push edx 0x00000035 mov eax, dword ptr [ebp+122D37B1h] 0x0000003b pop edx 0x0000003c popad 0x0000003d push 00000003h 0x0000003f mov edx, dword ptr [ebp+122D37F5h] 0x00000045 mov edi, dword ptr [ebp+122D38D1h] 0x0000004b push 00000000h 0x0000004d mov dh, D9h 0x0000004f push 00000003h 0x00000051 sub dword ptr [ebp+122D270Bh], edi 0x00000057 push B1C67D00h 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F415 second address: 55F419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55F419 second address: 55F431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E01D second address: 57E043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F3704502846h 0x00000010 jmp 00007F370450284Fh 0x00000015 jnp 00007F3704502846h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E043 second address: 57E048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E1CA second address: 57E1CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E1CE second address: 57E1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E507 second address: 57E50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E50B second address: 57E50F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E6A5 second address: 57E6B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F370450284Ah 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E6B5 second address: 57E6DE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3704EAC2B6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3704EAC2C9h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E895 second address: 57E8D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704502851h 0x00000007 jmp 00007F3704502858h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F3704502855h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57EA36 second address: 57EA64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C1h 0x00000007 jmp 00007F3704EAC2C9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57EBFB second address: 57EBFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57ED81 second address: 57ED85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57F2E8 second address: 57F2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57F2EC second address: 57F2F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 553224 second address: 553228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 553228 second address: 553244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F3704EAC2BEh 0x0000000e jc 00007F3704EAC2B6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 553244 second address: 553257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F370450284Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57F44F second address: 57F459 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3704EAC2BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE83 second address: 57FE9D instructions: 0x00000000 rdtsc 0x00000002 js 00007F3704502846h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F370450284Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58014D second address: 580153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 580153 second address: 580180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F3704502859h 0x0000000b jc 00007F3704502846h 0x00000011 pop eax 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 582820 second address: 582844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F3704EAC2C5h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 582844 second address: 58286D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704502857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F3704502846h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 586D20 second address: 586D24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 586D24 second address: 586D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B2E0 second address: 58B2E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B2E9 second address: 58B2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B2EF second address: 58B2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B2F3 second address: 58B308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 js 00007F370450286Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58A7BD second address: 58A7DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F3704EAC2C6h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58A7DA second address: 58A7E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F3704502846h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58AA85 second address: 58AAC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2BCh 0x00000007 js 00007F3704EAC2BAh 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3704EAC2C3h 0x0000001b jmp 00007F3704EAC2C0h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58AAC5 second address: 58AACF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3704502846h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58AACF second address: 58AAEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F3704EAC2C3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B018 second address: 58B01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B01D second address: 58B028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F3704EAC2B6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B028 second address: 58B043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F370450284Eh 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58C08F second address: 58C0B2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3704EAC2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3704EAC2BEh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58C10F second address: 58C115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CC6F second address: 58CC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CC73 second address: 58CC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CC79 second address: 58CC7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CD29 second address: 58CD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CE1C second address: 58CE22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CE22 second address: 58CE26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58CF70 second address: 58CF7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3704EAC2BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58D888 second address: 58D88F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58D88F second address: 58D894 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58D894 second address: 58D8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58D8A2 second address: 58D8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58D8A6 second address: 58D8B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F370450284Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58E267 second address: 58E2D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jmp 00007F3704EAC2BAh 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D1CE2h], edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F3704EAC2B8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 cmc 0x00000034 push 00000000h 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 jnp 00007F3704EAC2C4h 0x0000003f jmp 00007F3704EAC2BEh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58E2D3 second address: 58E2F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F3704502846h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F370450284Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007F3704502846h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58F343 second address: 58F347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58EB85 second address: 58EB89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58F347 second address: 58F34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58FE71 second address: 58FEFC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007F3704502846h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f jc 00007F3704502846h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edi 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F3704502848h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 adc si, CDBBh 0x00000039 push 00000000h 0x0000003b pushad 0x0000003c mov edi, dword ptr [ebp+122D378Dh] 0x00000042 jno 00007F370450284Ch 0x00000048 mov edi, dword ptr [ebp+122D2C1Fh] 0x0000004e popad 0x0000004f push 00000000h 0x00000051 mov dword ptr [ebp+122D35DCh], esi 0x00000057 xchg eax, ebx 0x00000058 pushad 0x00000059 jc 00007F3704502854h 0x0000005f je 00007F370450284Ch 0x00000065 jno 00007F3704502846h 0x0000006b popad 0x0000006c push eax 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 jnc 00007F3704502846h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590990 second address: 590995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590995 second address: 5909BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F370450284Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3704502851h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5909BE second address: 590A4D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3704EAC2BCh 0x00000008 jng 00007F3704EAC2B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F3704EAC2B8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007F3704EAC2B8h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 mov si, bx 0x0000004a push 00000000h 0x0000004c push 00000000h 0x0000004e push edx 0x0000004f call 00007F3704EAC2B8h 0x00000054 pop edx 0x00000055 mov dword ptr [esp+04h], edx 0x00000059 add dword ptr [esp+04h], 00000018h 0x00000061 inc edx 0x00000062 push edx 0x00000063 ret 0x00000064 pop edx 0x00000065 ret 0x00000066 mov di, F3ECh 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d ja 00007F3704EAC2C3h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590A4D second address: 590A57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3704502846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5994CF second address: 5994D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A47C second address: 59A480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A523 second address: 59A534 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3704EAC2BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5984E9 second address: 5985AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704502850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F3704502848h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d adc di, 8AFAh 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 ja 00007F370450284Ch 0x0000003f mov dword ptr [ebp+122D351Fh], ecx 0x00000045 mov eax, dword ptr [ebp+122D05B9h] 0x0000004b push 00000000h 0x0000004d push eax 0x0000004e call 00007F3704502848h 0x00000053 pop eax 0x00000054 mov dword ptr [esp+04h], eax 0x00000058 add dword ptr [esp+04h], 00000018h 0x00000060 inc eax 0x00000061 push eax 0x00000062 ret 0x00000063 pop eax 0x00000064 ret 0x00000065 mov bx, 7915h 0x00000069 push FFFFFFFFh 0x0000006b xor edi, 2E0F3D95h 0x00000071 nop 0x00000072 jnl 00007F3704502858h 0x00000078 push eax 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F3704502859h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5985AB second address: 5985B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5985B1 second address: 5985B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5985B7 second address: 5985BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545C1B second address: 545C29 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A663 second address: 59A6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3704EAC2B6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov dword ptr [esp], eax 0x0000000f adc bx, 7827h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F3704EAC2B8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 add ebx, dword ptr [ebp+122D27BCh] 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 cmc 0x00000043 mov eax, dword ptr [ebp+122D0325h] 0x00000049 push 00000000h 0x0000004b push edi 0x0000004c call 00007F3704EAC2B8h 0x00000051 pop edi 0x00000052 mov dword ptr [esp+04h], edi 0x00000056 add dword ptr [esp+04h], 00000016h 0x0000005e inc edi 0x0000005f push edi 0x00000060 ret 0x00000061 pop edi 0x00000062 ret 0x00000063 mov edi, dword ptr [ebp+122D27E0h] 0x00000069 push FFFFFFFFh 0x0000006b add ebx, 491DB538h 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 jmp 00007F3704EAC2C1h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5985BB second address: 5985BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A6EF second address: 59A6F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DB4E second address: 59DB58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F3704502846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DB58 second address: 59DBC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F3704EAC2C2h 0x00000011 nop 0x00000012 clc 0x00000013 push 00000000h 0x00000015 or ebx, 284F1136h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F3704EAC2B8h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 add di, 9499h 0x0000003c mov dword ptr [ebp+122D3485h], ebx 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DBC0 second address: 59DBCA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DBCA second address: 59DBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59EB0A second address: 59EB10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59EB10 second address: 59EB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DCB6 second address: 59DCBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59EB14 second address: 59EB36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jl 00007F3704EAC2B6h 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3704EAC2BEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59EB36 second address: 59EBA6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c stc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F3704502848h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 add ebx, dword ptr [ebp+122D2986h] 0x0000002f mov edi, dword ptr [ebp+122D359Bh] 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D311Ah], esi 0x0000003d xchg eax, esi 0x0000003e je 00007F3704502850h 0x00000044 pushad 0x00000045 push edi 0x00000046 pop edi 0x00000047 jns 00007F3704502846h 0x0000004d popad 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 jmp 00007F3704502858h 0x00000057 pushad 0x00000058 popad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DCBA second address: 59DD65 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3704EAC2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F3704EAC2C5h 0x00000010 jmp 00007F3704EAC2BFh 0x00000015 popad 0x00000016 mov dword ptr [esp], eax 0x00000019 jmp 00007F3704EAC2BDh 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F3704EAC2B8h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 push edi 0x00000047 pop ebx 0x00000048 add dword ptr [ebp+122D2E11h], eax 0x0000004e mov eax, dword ptr [ebp+122D0B35h] 0x00000054 push ebx 0x00000055 mov ebx, dword ptr [ebp+122D28E5h] 0x0000005b pop edi 0x0000005c mov edi, 3CF9B027h 0x00000061 push FFFFFFFFh 0x00000063 push 00000000h 0x00000065 push ebp 0x00000066 call 00007F3704EAC2B8h 0x0000006b pop ebp 0x0000006c mov dword ptr [esp+04h], ebp 0x00000070 add dword ptr [esp+04h], 0000001Ch 0x00000078 inc ebp 0x00000079 push ebp 0x0000007a ret 0x0000007b pop ebp 0x0000007c ret 0x0000007d mov ebx, dword ptr [ebp+122D1EDBh] 0x00000083 nop 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59EBA6 second address: 59EBAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DD65 second address: 59DD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59EBAC second address: 59EBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DD6A second address: 59DD74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F3704EAC2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DD74 second address: 59DD78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59DD78 second address: 59DD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59FD09 second address: 59FD0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1AF7 second address: 5A1AFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1AFB second address: 5A1B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3704502856h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1B1C second address: 5A1B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1B20 second address: 5A1B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1B29 second address: 5A1B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1B2F second address: 5A1BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jmp 00007F3704502852h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F3704502848h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F3704502848h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F3704502857h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2A88 second address: 5A2AEA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3704EAC2C1h 0x00000008 jmp 00007F3704EAC2BBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F3704EAC2C7h 0x00000015 nop 0x00000016 sub dword ptr [ebp+122D35A2h], edx 0x0000001c mov edi, 5DB7B3B1h 0x00000021 push 00000000h 0x00000023 and ebx, dword ptr [ebp+122D1DA1h] 0x00000029 push 00000000h 0x0000002b jmp 00007F3704EAC2C8h 0x00000030 xchg eax, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push esi 0x00000036 pop esi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2AEA second address: 5A2AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2AEE second address: 5A2AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6959 second address: 5A6967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A6967 second address: 5A696C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5BCA second address: 5A5BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3704502850h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5BDE second address: 5A5C6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F3704EAC2C2h 0x00000010 mov ebx, edx 0x00000012 pop edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 jbe 00007F3704EAC2B8h 0x00000027 mov bh, al 0x00000029 mov eax, dword ptr [ebp+122D110Dh] 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F3704EAC2B8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov ebx, dword ptr [ebp+12465D84h] 0x0000004f mov edi, esi 0x00000051 push FFFFFFFFh 0x00000053 sub ebx, 47FE0AEEh 0x00000059 nop 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d jmp 00007F3704EAC2C9h 0x00000062 jc 00007F3704EAC2B6h 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5C6F second address: 5A5C8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704502856h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5C8F second address: 5A5C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A5C93 second address: 5A5C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AFC11 second address: 5AFC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3704EAC2C8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AFC33 second address: 5AFC48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F370450284Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AFC48 second address: 5AFC4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BA0DF second address: 5BA0E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BA0E3 second address: 5BA0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jo 00007F3704EAC2B6h 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3876 second address: 5C3880 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3880 second address: 5C3886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C98D9 second address: 5C98DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C98DE second address: 5C98F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F3704EAC2BCh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C871E second address: 5C8723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C8723 second address: 5C8731 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3704EAC2B8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C8D29 second address: 5C8D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F370450284Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C8D42 second address: 5C8D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C8D46 second address: 5C8D4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C8EC6 second address: 5C8ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F3704EAC2B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDAD7 second address: 5CDADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDADF second address: 5CDAE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDAE5 second address: 5CDB02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F3704502848h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F370450284Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CDB02 second address: 5CDB33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3704EAC2C9h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F3704EAC2BDh 0x0000000f popad 0x00000010 push eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59545A second address: 59545E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59545E second address: 595468 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3704EAC2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595468 second address: 595477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F370450284Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595477 second address: 575FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx edx, ax 0x00000011 call dword ptr [ebp+122D1DABh] 0x00000017 jno 00007F3704EAC2D6h 0x0000001d pushad 0x0000001e jmp 00007F3704EAC2C6h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59594A second address: 595950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595950 second address: 3DDB5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov cl, 25h 0x0000000b push dword ptr [ebp+122D16E1h] 0x00000011 movsx edx, di 0x00000014 call dword ptr [ebp+122D1D95h] 0x0000001a pushad 0x0000001b jmp 00007F3704EAC2C4h 0x00000020 xor eax, eax 0x00000022 sub dword ptr [ebp+122D1D76h], ebx 0x00000028 mov dword ptr [ebp+122D1D76h], esi 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 cld 0x00000033 cld 0x00000034 mov dword ptr [ebp+122D37E5h], eax 0x0000003a jno 00007F3704EAC2BCh 0x00000040 mov esi, 0000003Ch 0x00000045 mov dword ptr [ebp+122D1E60h], edx 0x0000004b stc 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 ja 00007F3704EAC2BCh 0x00000056 lodsw 0x00000058 mov dword ptr [ebp+122D2673h], edi 0x0000005e jmp 00007F3704EAC2BBh 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 pushad 0x00000068 mov dx, si 0x0000006b sub dl, FFFFFFB8h 0x0000006e popad 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 stc 0x00000074 pushad 0x00000075 mov ecx, dword ptr [ebp+122D38D9h] 0x0000007b push ebx 0x0000007c mov edi, dword ptr [ebp+122D37C9h] 0x00000082 pop eax 0x00000083 popad 0x00000084 nop 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F3704EAC2BCh 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595A3B second address: 595A4C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F3704502846h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595AEC second address: 595AF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595AF3 second address: 595B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 5B1418FBh 0x0000000e or edx, dword ptr [ebp+122D267Ah] 0x00000014 push 5F55FAF3h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push esi 0x0000001d pop esi 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595D54 second address: 595D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595D58 second address: 595D66 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595D66 second address: 595D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595E78 second address: 595F07 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F3704502848h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D577Dh], ebx 0x0000002a jmp 00007F3704502850h 0x0000002f push 00000004h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F3704502848h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b or edi, dword ptr [ebp+122D3729h] 0x00000051 mov dword ptr [ebp+122D28E5h], esi 0x00000057 je 00007F3704502849h 0x0000005d mov cx, dx 0x00000060 nop 0x00000061 pushad 0x00000062 jl 00007F3704502848h 0x00000068 push eax 0x00000069 pop eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jp 00007F3704502846h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5962A6 second address: 5962AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5962AC second address: 5962C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F3704502846h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F3704502846h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5962C3 second address: 5962CD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3704EAC2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59674E second address: 596760 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F3704502846h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE081 second address: 5CE097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F3704EAC2C0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE097 second address: 5CE09C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5CE4A2 second address: 5CE4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54FC2E second address: 54FC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D42E8 second address: 5D42F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D460B second address: 5D4611 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4611 second address: 5D461A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4799 second address: 5D479F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D479F second address: 5D47A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D47A5 second address: 5D47A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4CCF second address: 5D4CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4E4A second address: 5D4E59 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4FD6 second address: 5D4FDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D4FDE second address: 5D4FF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F3704502846h 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e js 00007F3704502859h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DB352 second address: 5DB366 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3704EAC2B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F3704EAC2BCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D9F65 second address: 5D9F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D9F6B second address: 5D9F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA0C1 second address: 5DA0C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA0C7 second address: 5DA0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA0CD second address: 5DA0FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F370450284Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jns 00007F3704502846h 0x00000012 jmp 00007F3704502854h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA2A4 second address: 5DA2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA2A8 second address: 5DA2C9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3704502846h 0x00000008 jmp 00007F370450284Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007F370450284Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA529 second address: 5DA52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA52D second address: 5DA531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA531 second address: 5DA53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA53A second address: 5DA554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704502854h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA554 second address: 5DA594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F3704EAC2D4h 0x0000000e jmp 00007F3704EAC2C4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA594 second address: 5DA59D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA59D second address: 5DA5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA730 second address: 5DA74C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F370450284Ch 0x00000009 jmp 00007F370450284Bh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DA74C second address: 5DA77B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C4h 0x00000007 jo 00007F3704EAC2CDh 0x0000000d jmp 00007F3704EAC2C1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DAB81 second address: 5DAB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jnp 00007F3704502846h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DAB94 second address: 5DAB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DAB9A second address: 5DAB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DAD20 second address: 5DAD44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2BEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F3704EAC2BCh 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DB06D second address: 5DB07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edi 0x00000007 ja 00007F3704502846h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE6BD second address: 5DE6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE6C1 second address: 5DE6C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE6C5 second address: 5DE6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E426A second address: 5E427E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F370450284Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E427E second address: 5E4283 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E44F2 second address: 5E44F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5E86 second address: 5E5E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E7EB7 second address: 5E7EDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F370450284Ch 0x00000007 jg 00007F3704502850h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E7EDC second address: 5E7F0E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007F3704EAC2B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F3704EAC2C0h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3704EAC2C0h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E7F0E second address: 5E7F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EA53A second address: 5EA55A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3704EAC2C1h 0x00000008 jmp 00007F3704EAC2BAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EEFF0 second address: 5EEFF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 540AC3 second address: 540ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EE3CC second address: 5EE402 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704502858h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F370450284Ah 0x0000000f pushad 0x00000010 jmp 00007F370450284Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EE826 second address: 5EE82B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EE82B second address: 5EE831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F1A95 second address: 5F1A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F7DF8 second address: 5F7DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 596097 second address: 59610B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3704EAC2B8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jmp 00007F3704EAC2C7h 0x00000014 mov ebx, dword ptr [ebp+1248B1C0h] 0x0000001a sub ecx, dword ptr [ebp+12452EC9h] 0x00000020 add eax, ebx 0x00000022 mov dword ptr [ebp+122D2212h], ecx 0x00000028 jmp 00007F3704EAC2C6h 0x0000002d push eax 0x0000002e push ecx 0x0000002f jns 00007F3704EAC2BCh 0x00000035 pop ecx 0x00000036 mov dword ptr [esp], eax 0x00000039 push 00000004h 0x0000003b sub dword ptr [ebp+122D1E1Bh], ebx 0x00000041 nop 0x00000042 jg 00007F3704EAC2CBh 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59610B second address: 596124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F370450284Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 596124 second address: 596128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 596128 second address: 59612E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F7A6B second address: 5F7AA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3704EAC2C9h 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F3704EAC2B6h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600203 second address: 600207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 600207 second address: 60020D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE185 second address: 5FE193 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE193 second address: 5FE197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE197 second address: 5FE1A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE1A5 second address: 5FE1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE2FF second address: 5FE305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE305 second address: 5FE30A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FE30A second address: 5FE30F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FF285 second address: 5FF2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704EAC2C8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F3704EAC2BBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FF2B1 second address: 5FF2CB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F370450284Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FF2CB second address: 5FF2CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 604C95 second address: 604C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608C8C second address: 608C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608C90 second address: 608C9A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3704502846h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 607DE2 second address: 607DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 607F40 second address: 607F44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 607F44 second address: 607F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60808E second address: 608092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608092 second address: 6080A3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3704EAC2B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6081E3 second address: 6081EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6081EE second address: 6081F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6081F5 second address: 608200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F3704502846h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 60863F second address: 60868B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3704EAC2BEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 ja 00007F3704EAC2D1h 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F3704EAC2B6h 0x00000022 jno 00007F3704EAC2B6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608847 second address: 60884B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 608997 second address: 6089A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F3704EAC2B6h 0x0000000c jnl 00007F3704EAC2B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6089A9 second address: 6089D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3704502850h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F370450284Eh 0x00000013 pushad 0x00000014 jc 00007F3704502846h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6089D8 second address: 6089DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6089DE second address: 6089E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611276 second address: 611285 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3704EAC2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611285 second address: 6112A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F370450284Eh 0x0000000b jnc 00007F3704502846h 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 push ebx 0x00000015 ja 00007F370450284Ah 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6112A8 second address: 6112B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3704EAC2B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6116C9 second address: 6116CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6116CE second address: 611737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007F3704EAC2C7h 0x0000000d jnl 00007F3704EAC2B6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ecx 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jp 00007F3704EAC2B6h 0x00000022 jmp 00007F3704EAC2C9h 0x00000027 jmp 00007F3704EAC2C1h 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f ja 00007F3704EAC2B6h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611737 second address: 61173B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61173B second address: 611749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6118CE second address: 6118E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3704502848h 0x0000000c jnp 00007F3704502852h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6118E4 second address: 6118EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611C60 second address: 611C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611F47 second address: 611F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 611F4D second address: 611F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6120AA second address: 6120C3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F3704EAC2C3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61226C second address: 612273 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6196CC second address: 6196FD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3704EAC2D5h 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F3704EAC2B6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626A41 second address: 626A5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F370450284Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626A5A second address: 626A5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626581 second address: 626587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626587 second address: 6265A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F3704EAC2C1h 0x0000000b je 00007F3704EAC2B6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6265A5 second address: 6265AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6265AB second address: 6265AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6265AF second address: 6265C7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jns 00007F3704502846h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6265C7 second address: 6265D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6265D2 second address: 6265D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6265D6 second address: 6265DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 626736 second address: 626758 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F3704502846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F3704502853h 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007F370450284Bh 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6295CD second address: 6295D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6295D6 second address: 6295DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6295DA second address: 6295ED instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3704EAC2B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jnp 00007F3704EAC2B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6295ED second address: 629602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F370450284Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62F8B1 second address: 62F8C0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F3704EAC2B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62F8C0 second address: 62F8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63373F second address: 633758 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704EAC2C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 633758 second address: 63377A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F370450284Ah 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007F3704502851h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63377A second address: 6337B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jl 00007F3704EAC2CBh 0x0000000e jmp 00007F3704EAC2C5h 0x00000013 jmp 00007F3704EAC2C1h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6337B2 second address: 6337B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6337B8 second address: 6337BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6484A4 second address: 6484A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6484A9 second address: 6484B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3704EAC2BAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6484B7 second address: 6484D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F370450284Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5517C7 second address: 5517D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5517D0 second address: 5517D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6470C1 second address: 6470F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704EAC2C9h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3704EAC2C3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6470F6 second address: 647102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647102 second address: 647106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647106 second address: 647121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3704502853h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647121 second address: 647125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647125 second address: 647142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3704502854h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647142 second address: 647148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647148 second address: 647152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3704502846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647152 second address: 647156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647294 second address: 6472A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007F3704502846h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6472A0 second address: 6472A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6472A4 second address: 6472D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F3704502857h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F370450284Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6472D1 second address: 6472D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6472D5 second address: 6472DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6472DB second address: 6472DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647596 second address: 6475AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704502853h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6475AF second address: 6475B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6475B7 second address: 6475BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6475BC second address: 6475D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F3704EAC2B6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F3704EAC2DFh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6475D2 second address: 6475D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 647890 second address: 6478B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3704EAC2B8h 0x0000000a jmp 00007F3704EAC2C5h 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64D6C7 second address: 64D6FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704502852h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F3704502853h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64D6FB second address: 64D6FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64D20C second address: 64D210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64D210 second address: 64D214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64D214 second address: 64D231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704502852h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64D39B second address: 64D3B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3704EAC2C3h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64D3B7 second address: 64D3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64D3BF second address: 64D3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66910E second address: 669131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F370450284Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jo 00007F3704502848h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jbe 00007F370450284Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 668FA7 second address: 668FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 668FAB second address: 668FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F370450284Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 668FC1 second address: 668FC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AD47 second address: 66AD57 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3704502846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AEC2 second address: 66AEF6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3704EAC2D9h 0x00000008 pushad 0x00000009 jc 00007F3704EAC2B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66AEF6 second address: 66AF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F370450284Ch 0x00000009 jmp 00007F3704502850h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F370450284Ch 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d jmp 00007F3704502852h 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6737AC second address: 6737BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3704EAC2BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6737BB second address: 6737D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704502850h 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6737D3 second address: 6737D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 672ABB second address: 672AC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 672AC1 second address: 672AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3704EAC2BFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 672AD6 second address: 672ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 672C49 second address: 672C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 672C4F second address: 672C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 672F2E second address: 672F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F3704EAC2C9h 0x0000000c jmp 00007F3704EAC2C3h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 672F50 second address: 672F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jne 00007F3704502846h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 672F5E second address: 672F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 676DAE second address: 676DE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704502859h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F370450284Ah 0x00000010 pop ebx 0x00000011 push edx 0x00000012 push ecx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 676DE1 second address: 676DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 676DE5 second address: 676DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67674C second address: 67675B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3704EAC2B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67675B second address: 676784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3704502846h 0x0000000a jmp 00007F3704502851h 0x0000000f jmp 00007F370450284Dh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 676784 second address: 67678E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3704EAC2BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67D3F8 second address: 67D40A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F370450284Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F3F1 second address: 67F3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F3F5 second address: 67F419 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3704502854h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e js 00007F3704502846h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F419 second address: 67F41F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F41F second address: 67F450 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3704502846h 0x00000008 jmp 00007F3704502852h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jo 00007F370450284Eh 0x00000018 jne 00007F3704502846h 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F450 second address: 67F454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F013 second address: 67F024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F370450284Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 67F024 second address: 67F028 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 677D0C second address: 677D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704502855h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 je 00007F3704502852h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 676C19 second address: 676C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3704EAC2C8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 676C3A second address: 676C4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3704502850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 676C4E second address: 676C53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 676C53 second address: 676C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3704502853h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F370450284Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 677BC5 second address: 677BC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 677BC9 second address: 677BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 3DDAF1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 3DDB8A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5826C0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5AB66A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5955C7 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 50C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 70C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003DE19E rdtsc

0_2_003DE19E

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 2012

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BEFF3 GetSystemInfo,VirtualAlloc,

0_2_005BEFF3

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_003DE19E rdtsc

0_2_003DE19E

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: $kProgram Manager
Source: file.exe	Binary or memory string: $kProgram Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B5F1D GetSystemTime,GetFileTime,

0_2_005B5F1D

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	261 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561645
Start date and time:	2024-11-24 03:04:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.492192557625596
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'842'624 bytes
MD5:	92b22f14f1664cc7bb2f42daf6fd1799
SHA1:	68a767dd4bcd60e310bafd7219749093bd013bc6
SHA256:	85507d05a1da7659f9045ec2d969ddd0de20723fc7422b4985bd392411449fe8
SHA512:	c4b30103cc0b0dff93b5deb61f7301f45b24054239592f4c2778c179312193dce01b06043885d5ff260424ad7c49bf8d18d48a9523deb1e7d7e12601745d513a
SSDEEP:	49152:u7fzzBeGCIB62HytmIQe5O43lLT25dsn3Gy:u77zwGCs62d3ex3lU2j
TLSH:	A8D529A2FA0671CFD48E17788527CE826D5E03F94B1144C7A9ADE4BA7DB3CC111B6D28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ........................,......',...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6bc000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F3704C57E0Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	6a9dbe092e8f771b5bdfc61473fc97bb	False	0.9348958333333334	OpenPGP Public Key	7.818185395285856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
heclofms	0xa000	0x2b0000	0x2b0000	84bfe49248c65008320c33e539ce9e76	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
owtxsouk	0x2ba000	0x2000	0x400	4ab0216d6685a812e503b6483aa369d2	False	0.7939453125	data	6.2332592158725095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2bc000	0x4000	0x2200	cc084bace80fd5d8b25949ad395fdcba	False	0.05572150735294118	DOS executable (COM)	0.6439714064202419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	21:05:00
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3d0000
File size:	2'842'624 bytes
MD5 hash:	92B22F14F1664CC7BB2F42DAF6FD1799
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	3.5%
Signature Coverage:	4.1%
Total number of Nodes:	340
Total number of Limit Nodes:	23

Executed Functions

Function 005BEFF3 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11EF5FEC), ref: 005BEFFF
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 005BF060

Memory Dump Source

Source File: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 315fcc1f902cf5d485d83efa03a3578069be2d3a29571deed73201d286f622da
Instruction ID: 1e354da62f31b97f00d7105ca58ef16d15741748ad6ad548930521f01e773534
Opcode Fuzzy Hash: 315fcc1f902cf5d485d83efa03a3578069be2d3a29571deed73201d286f622da
Instruction Fuzzy Hash: D041F171940246ABE729DF74DD55FE6BBECFF4C740F000466A206D9482E671A5D08BE0

Function 005B34A3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 005B35B4
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 005B35C8

Strings

1002, xrefs: 005B357E
.exe, xrefs: 005B350F
.dll, xrefs: 005B34EB

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: 541354a570b376206c2126b08cc9ba37700832945230e4b1507dcf3216277f33
Instruction ID: 4139a3992fab52ecdedbd0e83d39370eb085be65c9582ef4213a04940c0b2713
Opcode Fuzzy Hash: 541354a570b376206c2126b08cc9ba37700832945230e4b1507dcf3216277f33
Instruction Fuzzy Hash: AB31457540420AEFDF26AF54D909AEE7FB9BF44310F104565F802A65A0C731BBA0EBA1

Function 005BFA1F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(?,?,6578652E,?,00000001,00000000,?), ref: 005BFA3B

Strings

.exe, xrefs: 005BFB4A, 005BFB90, 005BFB5B, 005BFB6E
.exe, xrefs: 005BFB85

Memory Dump Source

Source File: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: HandleModule
String ID: .exe$.exe
API String ID: 4139908857-1392631246
Opcode ID: fc278cc00826d57386187a9d0b7a393cca0dcccaf13105182ddd15ce5f838053
Instruction ID: eaf3003d93e15f09ebc2c0ef71da166686084776da37a49f132b456083fbcf69
Opcode Fuzzy Hash: fc278cc00826d57386187a9d0b7a393cca0dcccaf13105182ddd15ce5f838053
Instruction Fuzzy Hash: 93415B7190020AAFEB25CF54CD54BEABFB1FF04310F2484A4E906AA582C771BC90DB61

Function 005B39A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,005B393B,?,00000000,00000000), ref: 005B3A66
GetModuleHandleA.KERNEL32(00000000,?,?,?,005B393B,?,00000000,00000000), ref: 005B3A74

Strings

.dll, xrefs: 005B39DC

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: 539f964d23037577c653f31b145d7c945b165a6266f44e170822f95348de4465
Instruction ID: 27918173a30243daaed847846d2a2cfcdcb71584a5354b804653f952228a8eba
Opcode Fuzzy Hash: 539f964d23037577c653f31b145d7c945b165a6266f44e170822f95348de4465
Instruction Fuzzy Hash: 58118E30144606EBEF34DF24C80EBEDBEB8BF40344F644615E846684E0C771BAE8DA81

Function 005B6303 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(010416F4,-11EF5FEC), ref: 005B637C
GetFileAttributesA.KERNEL32(00000000,-11EF5FEC), ref: 005B638A

Strings

@, xrefs: 005B632F

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 57ef39310523941d8658ce9306f4317ea88c597db20959a528edd982d7f602ed
Instruction ID: f15fd0d220a20fd828d2651c84cb19f0da3f0dc456d7b4ece70999bf2df677db
Opcode Fuzzy Hash: 57ef39310523941d8658ce9306f4317ea88c597db20959a528edd982d7f602ed
Instruction Fuzzy Hash: 2B018C71508209FAEB35DF64D90D7DCBFB0BF40384F208865E4036A0A1C7B8BA91EB44

Function 005685B4 Relevance: 4.6, APIs: 3, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00568EC4
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00568EEB
GetNativeSystemInfo.KERNELBASE(?), ref: 00568F42

Memory Dump Source

Source File: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: 0ee4e0f2e0ca63660a0d53581825072dd8bb3cda5365b0ac321e92ef6fb16495
Instruction ID: 4e18cb8142684a8fbf84aa35729dcba1e84f6f2ae682095f9c941928bce305cb
Opcode Fuzzy Hash: 0ee4e0f2e0ca63660a0d53581825072dd8bb3cda5365b0ac321e92ef6fb16495
Instruction Fuzzy Hash: 4431F2B210010EDEEF11DF60D848BEF3BAAFF05314F104A26EA8286950DB764CA5CF59

Function 005B2383 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 005B23E5

Strings

\\?\, xrefs: 005B2440

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: 67fa509464155cf7ddb9b599a1610d77c5d122b44206ff1a3bd70006668488ee
Instruction ID: 230bea89d95f4abf22d6528ef3a602ca34feb2b3a2d1e8b8ec1db302b9a3ccbd
Opcode Fuzzy Hash: 67fa509464155cf7ddb9b599a1610d77c5d122b44206ff1a3bd70006668488ee
Instruction Fuzzy Hash: 70310D3560020AFFDF26DF94CD09BDE7BB9BF44744F000155FA02A5860D772AAA2DB60

Function 005B3A92 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005B1DD0: GetCurrentThreadId.KERNEL32 ref: 005B1DDF
Part of subcall function 005B1DD0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005B1E22

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 005B3AF6

Strings

.dll, xrefs: 005B3AB3

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CurrentHandleModuleSleepThread
String ID: .dll
API String ID: 683542999-2738580789
Opcode ID: f207948d6e6887ea258b6512c4be02e56b657fb18ac20792dfd0ee7651e2f6a8
Instruction ID: b03e2e1380980e627011bfd2fce54d6ccdfc9903e1ef09afa33244e244822bea
Opcode Fuzzy Hash: f207948d6e6887ea258b6512c4be02e56b657fb18ac20792dfd0ee7651e2f6a8
Instruction Fuzzy Hash: D1F03075104206BFDF10DF54C84AADA7FB4FF54350F608415FE0699051C731EA55DB61

Function 005B651F Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(010416F4,?,?,-11EF5FEC,?,?,?,-11EF5FEC,?), ref: 005B65D1

Part of subcall function 005B64D1: IsBadWritePtr.KERNEL32(?,00000004), ref: 005B64DF

CreateFileA.KERNEL32(?,?,?,-11EF5FEC,?,?,?,-11EF5FEC,?), ref: 005B65F1

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: 18e27641ab4880b73f46f8b00926baa290738247456697f062a0ce05364a053f
Instruction ID: ab0fff3b1192896004fd7f116d6b6a325b6c6b847385c5e0f3e3bf088905ce19
Opcode Fuzzy Hash: 18e27641ab4880b73f46f8b00926baa290738247456697f062a0ce05364a053f
Instruction Fuzzy Hash: 0C11237200454AFBDF329FA0CD09BED3E62BF44380F944525F902644A5C77AEAB1EB41

Function 005B5E8B Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005B1DD0: GetCurrentThreadId.KERNEL32 ref: 005B1DDF
Part of subcall function 005B1DD0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005B1E22

GetCurrentProcess.KERNEL32(-11EF5FEC), ref: 005B5E98
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 005B5EFE

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessSleepThread
String ID:
API String ID: 2846201637-0
Opcode ID: 8355e298fd490207d0d75c183b65eff3401d37d85666a77938da2df20a39816f
Instruction ID: ca05ed3afe692b84957d08559b7c5f4ffeea89f6a70f4af72f7cb238afc3aedf
Opcode Fuzzy Hash: 8355e298fd490207d0d75c183b65eff3401d37d85666a77938da2df20a39816f
Instruction Fuzzy Hash: 6901287210094AAB8F66AFA4DC09DEE3F79BF983407044621F90294010E732F662EB61

Function 005B1DD0 Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 005B1DDF
Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005B1E22

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: 9fd4e0162093a162c7c4904035740443f1de242919fa89e6c1550e38f7f206cb
Instruction ID: dc7107acf7f3205adc9675e7a3214bdfc8d4cfc45871683c2c5e4dbb0881912a
Opcode Fuzzy Hash: 9fd4e0162093a162c7c4904035740443f1de242919fa89e6c1550e38f7f206cb
Instruction Fuzzy Hash: 75F0B47160164AEFDB218F50C4687AE7EB8FF4031AF700179E50289181CBB16D95DA85

Function 005B4B24 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005B1DD0: GetCurrentThreadId.KERNEL32 ref: 005B1DDF
Part of subcall function 005B1DD0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005B1E22

CloseHandle.KERNELBASE(?,-11EF5FEC,?,?,005B44E7,?), ref: 005B4B62

Strings

D[, xrefs: 005B4B31

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CloseCurrentHandleSleepThread
String ID: D[
API String ID: 4003616898-2359138017
Opcode ID: ffa6ca589b4e7e002a97e8d8c1a49cd1a229e082631d2853bc21e6dab46e5010
Instruction ID: 37714c084be49e07778d680e7deabc1e58c51dc12853c9f1e28eaf3026efa469
Opcode Fuzzy Hash: ffa6ca589b4e7e002a97e8d8c1a49cd1a229e082631d2853bc21e6dab46e5010
Instruction Fuzzy Hash: DBE01272204807A69E707774C81EECF7F38BFD07807400921F60259056D620F592DAA4

Function 005B450A Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 005B45BF

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7ab49266058d0d298e72bf200b5d7637f6bfee2d2b37115e489de4431ce2ed20
Instruction ID: e2966c7a4236a5b818bcc08666391032a196f35013d1e8468f9c78b23e01a463
Opcode Fuzzy Hash: 7ab49266058d0d298e72bf200b5d7637f6bfee2d2b37115e489de4431ce2ed20
Instruction Fuzzy Hash: 20316971900609BADB309F64DC89FEEBFB8FB44714F208269F905AA192C771AA41CF54

Function 005B3D26 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 005B3DA8

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 904adb60081d6727765232ae0cd36e1e2ce197fd903e06af2086c8224a0f13aa
Instruction ID: 144198264ab7e738a95bd11588af37521052ebe90921b66cfd449406fd8bc286
Opcode Fuzzy Hash: 904adb60081d6727765232ae0cd36e1e2ce197fd903e06af2086c8224a0f13aa
Instruction Fuzzy Hash: CC31B171640605BEEB309F64DC86FD97BB8FB44724F204226F612BA1D1C7B1F6428B54

Function 0055B068 Relevance: 1.6, APIs: 1, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0055B068

Memory Dump Source

Source File: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bdfa8ffa7e26d6632f11259ddb80c2988c9737dcff8471f43dc137b7c0a02060
Instruction ID: f52a6e201c5be0402faaf76dadcaf91e68cbfa9446ca6cf6ace5d84b2eb50b68
Opcode Fuzzy Hash: bdfa8ffa7e26d6632f11259ddb80c2988c9737dcff8471f43dc137b7c0a02060
Instruction Fuzzy Hash: 1A215CB240D204AFE7056F08DC45BAEBBE8FF45351F06492DEBD486240E7369864CB97

Function 005BF76C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 005BF819

Memory Dump Source

Source File: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: acedaf84248d67fd9141bd7b6b5e2e250558d447ebdcebe9db581dff78d7ee1d
Instruction ID: ad41b5776c169fba57e96a5ffe05d4680600cbb10cab42d96ea5c71d5b7b62e1
Opcode Fuzzy Hash: acedaf84248d67fd9141bd7b6b5e2e250558d447ebdcebe9db581dff78d7ee1d
Instruction Fuzzy Hash: 32119472E01225AFEB319A159C48BFA7F7CFF54755F1040B5F805A6041DB74BD818BA1

Function 07260D41 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 07260DCD

Memory Dump Source

Source File: 00000000.00000002.2267353313.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7260000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a64e41503ea29f5f8b01a1f8cacbaf7fa4a941cd285e7811ec8106cf79e7b303
Instruction ID: 2720656c229e615dc653b08c95c0d33155550cd4abf9433f7c3f21f852b3fef0
Opcode Fuzzy Hash: a64e41503ea29f5f8b01a1f8cacbaf7fa4a941cd285e7811ec8106cf79e7b303
Instruction Fuzzy Hash: BE2168B2C00219DFCB50CF99D884ADEFBF0EB88710F10821AD908AB204C734A541CBA4

Function 07260D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 07260DCD

Memory Dump Source

Source File: 00000000.00000002.2267353313.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7260000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: e2220f88dedc3942761d95848a6ab470c4e3fe613024b5c46aac6891f67e161d
Instruction ID: 4dc1a81ba846399dc51dd3b224cc0e4dea5a3f7f712390baf0d24d2874ebf057
Opcode Fuzzy Hash: e2220f88dedc3942761d95848a6ab470c4e3fe613024b5c46aac6891f67e161d
Instruction Fuzzy Hash: 1A2127B6C11219DFCB50CF99D884BDEFBF4EF88710F14865AD908AB245D734A544CBA4

Function 07261509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 07261580

Memory Dump Source

Source File: 00000000.00000002.2267353313.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7260000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 931bf620503f7cbe58c90ec6142fd9c79d3fa818eb6b4a0524fb79adbd296fd3
Instruction ID: 8624fc7a3d6a2e3429725ca68fc4da91f6e9b658acef59b02aba213fa3692d54
Opcode Fuzzy Hash: 931bf620503f7cbe58c90ec6142fd9c79d3fa818eb6b4a0524fb79adbd296fd3
Instruction Fuzzy Hash: 0F2133B1C00249DFDB10CF9AC484BDEFBF4EB48320F10842AE918A7200C738AA44CFA5

Function 07261510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 07261580

Memory Dump Source

Source File: 00000000.00000002.2267353313.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7260000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 84657c695d5b2f9ca5964bc77c84de1f2d6d7598fb22901f5652806ee69564e1
Instruction ID: e1d500024db8cd82a61dd0aab649ebc5ecda02d0ed7bafea727e63893669123e
Opcode Fuzzy Hash: 84657c695d5b2f9ca5964bc77c84de1f2d6d7598fb22901f5652806ee69564e1
Instruction Fuzzy Hash: 8211D3B1900749DFDB10CF9AC585BDEFBF4AB48320F10842AE959A7250D778A644CFA5

Function 005B7057 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1DD0: GetCurrentThreadId.KERNEL32 ref: 005B1DDF
Part of subcall function 005B1DD0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005B1E22

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11EF5FEC), ref: 005B70DE

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CurrentFileSleepThreadView
String ID:
API String ID: 2270672837-0
Opcode ID: 8cbbb295a7ad4993ebc567969a11a584252672b08915a2ae11453e7bba0d4c55
Instruction ID: d398ff802c58bbb85839a93345a4011e435de807304e3721704fefda7c9fb24d
Opcode Fuzzy Hash: 8cbbb295a7ad4993ebc567969a11a584252672b08915a2ae11453e7bba0d4c55
Instruction Fuzzy Hash: B411937210854FEACF22AFA4DC1ADDE3F66BF98340B004912FA1159461C636E572EF61

Function 005B6E3F Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: ee00cdc8232bbe77359063a30379cd73c1bd439f512238981172664ab2db49e5
Instruction ID: 0dbac0102e0fdc6b521a24d701af36d9ccfbc441f65b2ec5a99da07b0434a33f
Opcode Fuzzy Hash: ee00cdc8232bbe77359063a30379cd73c1bd439f512238981172664ab2db49e5
Instruction Fuzzy Hash: 9011357610010AEBCF62AFA4C819AEF3F79BF84340F008410F9065A062C739EA65EB60

Function 07261301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 07261367

Memory Dump Source

Source File: 00000000.00000002.2267353313.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7260000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: a6fc082ff11ce3be9a8b32301e8b6effd6c594abc2de7f5785058f7655b5ed61
Instruction ID: 9d18ffa2e5e02a98f08a733daaf5df0ff14bf63b834ae618d4d6fc2c60a503f2
Opcode Fuzzy Hash: a6fc082ff11ce3be9a8b32301e8b6effd6c594abc2de7f5785058f7655b5ed61
Instruction Fuzzy Hash: 021155B1800349CFDB10DF9AD585BEEBBF4EF48720F20842AD918A3240D778A655CFA5

Function 07261308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 07261367

Memory Dump Source

Source File: 00000000.00000002.2267353313.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7260000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 3dada64bc2f06e8724cc22440ec439f26180f05e65b553cfed08dca3feb4748e
Instruction ID: d7c4413a25fd243c0060c8d1d3f6c8d0a17da745ba0cb7eeff66c890601cc6e2
Opcode Fuzzy Hash: 3dada64bc2f06e8724cc22440ec439f26180f05e65b553cfed08dca3feb4748e
Instruction Fuzzy Hash: 641125B1800249CFDB10CF9AC445BDEBBF4AB48720F20845AD518A3250C778A544CBA5

Function 005B6723 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1DD0: GetCurrentThreadId.KERNEL32 ref: 005B1DDF
Part of subcall function 005B1DD0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005B1E22

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11EF5FEC,?,?,005B4452,?,?,00000400,?,00000000,?,00000000), ref: 005B678F

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CurrentFileReadSleepThread
String ID:
API String ID: 1253362762-0
Opcode ID: 421f78dedb59a4fe084d85df2c303dd6173c443b0890f1cf4fd7263080613ec9
Instruction ID: 00ba132b939787d51e62afecb3af5ce4f242a8d858986250abca6f3381b73148
Opcode Fuzzy Hash: 421f78dedb59a4fe084d85df2c303dd6173c443b0890f1cf4fd7263080613ec9
Instruction Fuzzy Hash: 77F0E73610050AFBDF62AFA4D819DDE3F76FF84784F404811FA0659061DB36E9A1EBA1

Function 005B3706 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(005B2EBC,005B2EBC), ref: 005B3751

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: c232e32bfb91735ebab9dd77394259ffd9ceb564dcfb6e22b008ef6d057e9d8e
Instruction ID: 854ca202c8265e6b2f0cf1fb508e43698e4d7dc4886b69b64f01ec40f3936693
Opcode Fuzzy Hash: c232e32bfb91735ebab9dd77394259ffd9ceb564dcfb6e22b008ef6d057e9d8e
Instruction Fuzzy Hash: 41E039B6104006AA8F512B79C81E8CE3E6AFFC0790B008421F80268021DE31F751E660

Function 003DE601 Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 003DE603

Memory Dump Source

Source File: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 22967e124c3bb58d78fb1458b9f1b19edced6ff2060bf06350dd38f92bbd3af4
Instruction ID: e46e27c4a903d474d75dbd072cc6750853ba4e8f67252e3cde6c84ee8d2f6f24
Opcode Fuzzy Hash: 22967e124c3bb58d78fb1458b9f1b19edced6ff2060bf06350dd38f92bbd3af4
Instruction Fuzzy Hash: 33F081F281870C9BD7613F54EC4A7BABEA4EB10310F150638DEC506750F6722A68968B

Function 005B1FA1 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 005B2005

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 83e08b961c66b7df09ed14a78f216414a9f73d08036065b97e87e9a9c9f90535
Instruction ID: b0e8b3dc49d5aac570253e210026f142e442e372e9e168f304f0a9fb478da89c
Opcode Fuzzy Hash: 83e08b961c66b7df09ed14a78f216414a9f73d08036065b97e87e9a9c9f90535
Instruction Fuzzy Hash: 5B01C43560050EBBCF22AFA5CC09EDEBFB6FF48741F000165A402A4164D732AA61DB64

Function 005BF396 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,005BF392,?,?,005BF098,?,?,005BF098,?,?,005BF098), ref: 005BF3B6

Memory Dump Source

Source File: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4156597ee7f19b3b3ee9bb2a53d6418257e666176a4659f955c426e1a2431c05
Instruction ID: acbabe3ea6ddcea93f5c1160b8a4472bee920d5872a4f1734065bd8b898c2b38
Opcode Fuzzy Hash: 4156597ee7f19b3b3ee9bb2a53d6418257e666176a4659f955c426e1a2431c05
Instruction Fuzzy Hash: 9BF0A4B1904209EFEB208F24CD05B99BFE4FF48761F118078F48A9BA51D3B1A8C0CB50

Function 005B3BE9 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,005B1C6F,?,?), ref: 005B3BEF

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9d300bdcba02cb3d7305b4076bf90d6e1782b88490fe4b2dad69953c45a848e5
Instruction ID: f394c2e0b6c718eb496db6392b45329dfe06a65da6394af08f849aecac260dd0
Opcode Fuzzy Hash: 9d300bdcba02cb3d7305b4076bf90d6e1782b88490fe4b2dad69953c45a848e5
Instruction Fuzzy Hash: 45B0483100450ABBCB11BF61DC0A88DBE69BB55699B408121B906550628B72AA609AD0

Function 003DECA5 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 003DECA7

Memory Dump Source

Source File: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2d03dd74ec9d1f74529ea5a59279142901c03d3ad1e06073c83bbca97b4d7d57
Instruction ID: 031f98f085b6d745a2ac810b58c5e1fd782d1e5bb41a1996c9f2c7cf92289a2e
Opcode Fuzzy Hash: 2d03dd74ec9d1f74529ea5a59279142901c03d3ad1e06073c83bbca97b4d7d57
Instruction Fuzzy Hash: 38C00236A0424E8BCB806F78B40C3CE3A30EF05722F200715FC2289AD0C7624C209A19

Non-executed Functions

Function 005B5F1D Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 005B1DD0: GetCurrentThreadId.KERNEL32 ref: 005B1DDF
Part of subcall function 005B1DD0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005B1E22

GetSystemTime.KERNEL32(?,-11EF5FEC), ref: 005B5F52
GetFileTime.KERNEL32(?,?,?,?,-11EF5FEC), ref: 005B5F95

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: Time$CurrentFileSleepSystemThread
String ID:
API String ID: 3818558864-0
Opcode ID: 494f63097989a61d4148500bf48cffef7e83feabe0296c6e287dcdd5a0fcec7c
Instruction ID: e7a4122cd3cef2172e4e36ca5ee45d3e06586029c1d2e68308ca1326f7c3841d
Opcode Fuzzy Hash: 494f63097989a61d4148500bf48cffef7e83feabe0296c6e287dcdd5a0fcec7c
Instruction Fuzzy Hash: F501287220484AFBCB255F69DC0DEDEBF35FFC4350B504922F40285461E772E8A1DAA1

Function 003DDABA Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

NTDL, xrefs: 003DDE4C

Memory Dump Source

Source File: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID:
String ID: NTDL
API String ID: 0-3662016964
Opcode ID: 4705d6242aca49537fa5277b2d3c207053b785c38dd24eb15fbe6aaa906ed7f6
Instruction ID: e3ef03c7b28723d281bbd897a50026a841c83aa025b8d04d11834d1c65642001
Opcode Fuzzy Hash: 4705d6242aca49537fa5277b2d3c207053b785c38dd24eb15fbe6aaa906ed7f6
Instruction Fuzzy Hash: CFA18BB390860E8BDB12CF65E5005EE77E5FF96320F25812BE80297B02D3B25D25DB59

Function 005B6DDB Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 005B6E22

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: f819008dae3039c08fa9e57b70c21d4cafbbab1d3e6d02ff6c3987cae3c9402d
Instruction ID: a1fa37c0013aa25843b3f217d49699230b2399cdcde4d5ac7dffa8293283f088
Opcode Fuzzy Hash: f819008dae3039c08fa9e57b70c21d4cafbbab1d3e6d02ff6c3987cae3c9402d
Instruction Fuzzy Hash: 28F0D43660020AEFCF11CFA4C90598E7FB2FF09304B108529F9069A251D776EA60EF40

Function 003E5893 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

,Qy, xrefs: 003E597D

Memory Dump Source

Source File: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID:
String ID: ,Qy
API String ID: 0-2423331711
Opcode ID: 5be6b01387743ba2f9e4b030da7bba13b3c8da6b164d01a8833893fefc216481
Instruction ID: 6da915d30685d27786d8a2a07e22bfff4da04d5831d0b1bf897f3664d202b7ee
Opcode Fuzzy Hash: 5be6b01387743ba2f9e4b030da7bba13b3c8da6b164d01a8833893fefc216481
Instruction Fuzzy Hash: D8519DB3F102254BF3484D28CC693A27692DB91310F2E827D8B4AAB7C6DD7E9C495384

Function 003DE19E Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

V, xrefs: 003DE35D

Memory Dump Source

Source File: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 190941268c9713ede3d984bb306caab785a82fea4cbc590c85ae92c8c6a06ed8
Instruction ID: 04e64657f59a4a7619427fd3dc7876ed2df4116aa84f5c909d2c1eb09224e736
Opcode Fuzzy Hash: 190941268c9713ede3d984bb306caab785a82fea4cbc590c85ae92c8c6a06ed8
Instruction Fuzzy Hash: 0C4181B240924E9ED7179F24E9049EF3FBCEB56320F24446BE841CAA42D3764D249B69

Function 005B5453 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 005B1DD0: GetCurrentThreadId.KERNEL32 ref: 005B1DDF
Part of subcall function 005B1DD0: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 005B1E22

Part of subcall function 005B64D1: IsBadWritePtr.KERNEL32(?,00000004), ref: 005B64DF

wsprintfA.USER32 ref: 005B5499
LoadImageA.USER32(?,?,?,?,?,?), ref: 005B555D

Strings

%8x, xrefs: 005B5527, 005B555A
%8x, xrefs: 005B5494, 005B5497

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: CurrentImageLoadSleepThreadWritewsprintf
String ID: %8x$%8x
API String ID: 2375920415-2046107164
Opcode ID: c481597e682be10c279682bccb702319adb4f35bcac8018e2240f0b00a420c71
Instruction ID: f407343fb8af7652e318cd9d5b7f0da83968501a625fb2c5557973eed56a494f
Opcode Fuzzy Hash: c481597e682be10c279682bccb702319adb4f35bcac8018e2240f0b00a420c71
Instruction Fuzzy Hash: D331F77190050ABBDF21DF94DC49EEEBF79FF88710F108125F911A61A0D731AA61DB60

Function 005B6024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(010416F4,00004020,00000000,-11EF5FEC), ref: 005B6111

Strings

@, xrefs: 005B6050

Memory Dump Source

Source File: 00000000.00000002.2265256395.00000000005A9000.00000040.00000001.01000000.00000003.sdmp, Offset: 003D0000, based on PE: true

Associated: 00000000.00000002.2264890503.00000000003D0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264912528.00000000003D2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264931283.00000000003D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264948669.00000000003DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2264967427.00000000003E6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265070488.000000000053F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265087760.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000558000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265108666.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265142809.000000000056C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265158023.000000000056D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265177705.0000000000581000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265192816.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265209723.0000000000592000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265223265.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265238225.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265273807.00000000005B8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265289301.00000000005BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265308263.00000000005D7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265323641.00000000005E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265337994.00000000005E3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265353537.00000000005E9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265368653.00000000005F3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265384807.00000000005F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265400225.0000000000600000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265414423.0000000000605000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265516748.0000000000606000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265535003.000000000060A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265550654.0000000000610000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265566563.0000000000615000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265584444.0000000000626000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265599440.000000000062A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265615013.0000000000633000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265631939.0000000000635000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265662668.0000000000673000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265678376.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.0000000000675000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265691906.000000000067D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265720245.000000000068A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2265733335.000000000068C000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3d0000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 5dc96b4e73310a396a90f3ae5220458a3198f4d0b54172229e9a3d0b6f6fb36c
Instruction ID: 360aa4908e7f4929fd39727f284bb8e62ec18631e96c8e598ff78e3b44b20709
Opcode Fuzzy Hash: 5dc96b4e73310a396a90f3ae5220458a3198f4d0b54172229e9a3d0b6f6fb36c
Instruction Fuzzy Hash: 4531897150460AEFDB28DF44C848BCEBFB0FF08340F108529E95666651C3B9AAA1DF90

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 6280, Parent PID: 4004

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 6280, Parent PID: 4004COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 005BEFF3 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 005B34A3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 005BFA1F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112
COMMON

Function 005B39A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 005B6303 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 005685B4 Relevance: 4.6, APIs: 3, Instructions: 80
registryCOMMON

Function 005B2383 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 005B3A92 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 005B651F Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 005B5E8B Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 005B1DD0 Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Function 005B4B24 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 25
COMMON

Function 005B450A Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 005B3D26 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 0055B068 Relevance: 1.6, APIs: 1, Instructions: 85
libraryCOMMON