Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561688
MD5:	2a14be5464af09ff5e0d667dbb41e756
SHA1:	5e3e9e8ee8c79a1c3bf51170f12f72ca84e851f0
SHA256:	e90e0d0df0140e53ff17d719d1d0343cd5f51eaaae614509338461beb5d20944
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2A14BE5464AF09FF5E0D667DBB41E756)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE9CF8 CryptVerifySignatureA,

0_2_00CE9CF8

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1859860586.0000000004D90000.00000004.00001000.00020000.00000000.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B25A51	0_2_00B25A51
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C91B88	0_2_00C91B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C91B62	0_2_00C91B62

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00CE4CED appears 35 times

Source: file.exe, 00000000.00000000.1829561636.0000000000B16000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: ORtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2741760 > 1048576

Source: file.exe

Static PE information: Raw size of gvbjqmpu is bigger than: 0x100000 < 0x297600

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.b10000.0.unpack :EW;.rsrc:W;.idata :W;gvbjqmpu:EW;pcqkcyiw:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2a250e should be: 0x2a27ba

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: gvbjqmpu
Source: file.exe	Static PE information: section name: pcqkcyiw
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA33E9 push 34399D41h; mov dword ptr [esp], ebx	0_2_00CA3BE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA33E9 push esi; mov dword ptr [esp], ebp	0_2_00CA3D83
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1E475 push 6F64161Eh; mov dword ptr [esp], esi	0_2_00B1F291
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9184F push 745B0E05h; mov dword ptr [esp], esi	0_2_00C9187F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9184F push 635610F1h; mov dword ptr [esp], eax	0_2_00C918B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9184F push 16A414CEh; mov dword ptr [esp], ebx	0_2_00C918F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B22B1C push eax; mov dword ptr [esp], ebx	0_2_00B23678
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1EB0B push 6864B1CAh; mov dword ptr [esp], edi	0_2_00B1EB1E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1EB0B push edi; mov dword ptr [esp], edx	0_2_00B1F159
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D810D5 push 7F141C08h; mov dword ptr [esp], ecx	0_2_00D810FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9C0ED push ebp; mov dword ptr [esp], 3B32182Bh	0_2_00C9C15F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9C0ED push esi; mov dword ptr [esp], 55FF6C91h	0_2_00C9C17F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9C0ED push 5CBFEFDFh; mov dword ptr [esp], eax	0_2_00C9C1DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9C0ED push 2661215Fh; mov dword ptr [esp], edi	0_2_00C9C230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA20E2 push 7CE93F84h; mov dword ptr [esp], ecx	0_2_00CA20EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2308F push esi; mov dword ptr [esp], 697FF412h	0_2_00B24383
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9F082 push ebx; mov dword ptr [esp], edx	0_2_00C9F08B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B210E3 push esi; mov dword ptr [esp], 4CBEC601h	0_2_00B210F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9F09D push 4B3A62CAh; mov dword ptr [esp], ecx	0_2_00C9F0A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9F09D push eax; mov dword ptr [esp], 0165AA61h	0_2_00CA1E7E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1C0C0 push esi; mov dword ptr [esp], edi	0_2_00B1C242
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1C0C0 push esi; mov dword ptr [esp], edx	0_2_00B1C3F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B240C1 push eax; mov dword ptr [esp], esi	0_2_00B20A71
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9F049 push edi; mov dword ptr [esp], ebx	0_2_00C9F06D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9F049 push edx; mov dword ptr [esp], esp	0_2_00C9F071
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CA104A push 29397677h; mov dword ptr [esp], ebx	0_2_00CA173E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B22021 push edx; mov dword ptr [esp], ebx	0_2_00B24606
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B22021 push ebp; mov dword ptr [esp], esi	0_2_00B2460A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8F06C push esi; mov dword ptr [esp], 5D6FD900h	0_2_00C8F072
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9F079 push edx; mov dword ptr [esp], ebp	0_2_00CA2E6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C9F079 push 045B15C2h; mov dword ptr [esp], esi	0_2_00CA2E74

Source: file.exe

Static PE information: section name: entropy: 7.790921165340799

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1DBAF second address: B1DBCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4274B9D764h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1DBCA second address: B1DBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C916D2 second address: C916EA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4274B9D763h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C916EA second address: C916F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C916F0 second address: C916F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9185D second address: C91869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4274C4D0B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C91869 second address: C9186D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C919D3 second address: C919F0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4274C4D0B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F4274C4D0C1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C919F0 second address: C919F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C919F6 second address: C91A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F4274C4D0E3h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F4274C4D0C5h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C91B68 second address: C91B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007F4274B9D756h 0x0000000e popad 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jno 00007F4274B9D756h 0x00000018 pop edx 0x00000019 popad 0x0000001a push ecx 0x0000001b jmp 00007F4274B9D75Ch 0x00000020 push ebx 0x00000021 jng 00007F4274B9D756h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C94EDD second address: C94F3A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jg 00007F4274C4D0CAh 0x00000013 pop eax 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jc 00007F4274C4D0BEh 0x0000001e jl 00007F4274C4D0B8h 0x00000024 pushad 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 js 00007F4274C4D0C0h 0x0000002e pushad 0x0000002f jp 00007F4274C4D0B6h 0x00000035 push ecx 0x00000036 pop ecx 0x00000037 popad 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c pushad 0x0000003d je 00007F4274C4D0B8h 0x00000043 push esi 0x00000044 pop esi 0x00000045 push eax 0x00000046 push edx 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C94F9C second address: C94FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C94FA6 second address: C95011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4274C4D0B6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f call 00007F4274C4D0C8h 0x00000014 mov cx, 0600h 0x00000018 pop ecx 0x00000019 push 00000000h 0x0000001b push 7A09F1C3h 0x00000020 push eax 0x00000021 push esi 0x00000022 jno 00007F4274C4D0B6h 0x00000028 pop esi 0x00000029 pop eax 0x0000002a xor dword ptr [esp], 7A09F143h 0x00000031 add edx, 0078122Fh 0x00000037 push 00000003h 0x00000039 mov si, cx 0x0000003c push 00000000h 0x0000003e mov si, 1CADh 0x00000042 mov esi, 094E5661h 0x00000047 push 00000003h 0x00000049 mov dword ptr [ebp+122D3643h], eax 0x0000004f push 79FE0A1Bh 0x00000054 push esi 0x00000055 push esi 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95011 second address: C9503A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 add dword ptr [esp], 4601F5E5h 0x0000000d mov dx, bx 0x00000010 xor cl, 00000048h 0x00000013 lea ebx, dword ptr [ebp+1244ADD2h] 0x00000019 mov dword ptr [ebp+122D1C59h], eax 0x0000001f xchg eax, ebx 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 je 00007F4274B9D756h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9503A second address: C95047 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95047 second address: C9504B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C950DD second address: C950E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C950E1 second address: C950EB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4274B9D756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C950EB second address: C950F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4274C4D0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C950F5 second address: C95156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jl 00007F4274B9D758h 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F4274B9D769h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jns 00007F4274B9D766h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F4274B9D763h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95156 second address: C95160 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4274C4D0BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C951F1 second address: C9523B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F4274B9D762h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 jno 00007F4274B9D75Eh 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F4274B9D75Eh 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 jng 00007F4274B9D756h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9523B second address: C9526B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jo 00007F4274C4D0BAh 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F4274C4D0B6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9526B second address: C95274 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95274 second address: C952B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F4274C4D0B8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+12447E45h] 0x00000029 lea ebx, dword ptr [ebp+1244ADDBh] 0x0000002f add di, A90Fh 0x00000034 xchg eax, ebx 0x00000035 push ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95373 second address: C95377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95377 second address: C953F3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 33FBA120h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F4274C4D0B8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000003h 0x0000002d mov edx, dword ptr [ebp+122D2AB2h] 0x00000033 push 00000000h 0x00000035 mov edi, 161EF2B2h 0x0000003a push 00000003h 0x0000003c mov dword ptr [ebp+122D3198h], eax 0x00000042 pushad 0x00000043 mov dword ptr [ebp+122D290Dh], ecx 0x00000049 or di, 6055h 0x0000004e popad 0x0000004f call 00007F4274C4D0B9h 0x00000054 push ebx 0x00000055 jng 00007F4274C4D0C4h 0x0000005b pop ebx 0x0000005c push eax 0x0000005d pushad 0x0000005e push edi 0x0000005f pushad 0x00000060 popad 0x00000061 pop edi 0x00000062 pushad 0x00000063 push ecx 0x00000064 pop ecx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C953F3 second address: C95402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95402 second address: C95406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95406 second address: C9540A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9540A second address: C9542E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4274C4D0C9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9542E second address: C9543E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C9543E second address: C95444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C95444 second address: C95462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pop eax 0x00000007 mov dword ptr [ebp+124464EAh], ebx 0x0000000d lea ebx, dword ptr [ebp+1244ADE6h] 0x00000013 adc edi, 20552E7Ah 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6E6E second address: CA6E83 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F4274C4D0B8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB62D1 second address: CB62F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4274B9D768h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB62F4 second address: CB62FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4274C4D0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB62FE second address: CB632A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Fh 0x00000007 jmp 00007F4274B9D766h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB632A second address: CB6330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB4192 second address: CB41B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4274B9D75Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB41B1 second address: CB41B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB41B7 second address: CB41BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB41BB second address: CB41CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0BEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB45DE second address: CB45E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB45E4 second address: CB45EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB45EA second address: CB45F4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4274B9D75Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB45F4 second address: CB4604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F4274C4D0B6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB492A second address: CB494F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push edi 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F4274B9D75Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB4C03 second address: CB4C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F4274C4D0C7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB4C25 second address: CB4C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB500A second address: CB503C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0C0h 0x00000007 jmp 00007F4274C4D0C4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F4274C4D0C8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB503C second address: CB5040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB5040 second address: CB5044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB5309 second address: CB5317 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4274B9D756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB5317 second address: CB532B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CAB037 second address: CAB052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F4274B9D766h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7FDF5 second address: C7FE06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4274C4D0BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7FE06 second address: C7FE17 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4274B9D756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB6145 second address: CB6160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0C6h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB6160 second address: CB6166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB6166 second address: CB6180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB6180 second address: CB6184 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB6184 second address: CB618A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB618A second address: CB61B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d push edi 0x0000000e jmp 00007F4274B9D767h 0x00000013 pop edi 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB850C second address: CB8516 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB8516 second address: CB8532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c ja 00007F4274B9D756h 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB875D second address: CB8780 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4274C4D0C7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB8780 second address: CB8799 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4274B9D756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F4274B9D758h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB886E second address: CB8879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C83428 second address: C83430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBF915 second address: CBF919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFAC7 second address: CBFACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFACB second address: CBFACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFACF second address: CBFADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFADA second address: CBFAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 jo 00007F4274C4D0D2h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFAE9 second address: CBFAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F4274B9D756h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFAF6 second address: CBFAFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFC27 second address: CBFC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4274B9D756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CBFC31 second address: CBFC42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC018E second address: CC01A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274B9D764h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC1C3C second address: CC1C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC2209 second address: CC2220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274B9D75Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC2220 second address: CC2226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC2AD9 second address: CC2AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4274B9D75Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC2AED second address: CC2AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC64D1 second address: CC64D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC64D5 second address: CC64DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC6D9C second address: CC6E17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F4274B9D758h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov edi, dword ptr [ebp+122D33BEh] 0x0000002c push 00000000h 0x0000002e jmp 00007F4274B9D75Ah 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007F4274B9D758h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f mov si, di 0x00000052 add edi, 5C42934Ah 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c jns 00007F4274B9D756h 0x00000062 pop edi 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC6E17 second address: CC6E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC6E1D second address: CC6E53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F4274B9D75Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4274B9D75Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD933 second address: CCD939 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCD939 second address: CCD95F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D768h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007F4274B9D75Eh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD01E1 second address: CD01E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD21BC second address: CD21D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 je 00007F4274B9D762h 0x0000000e jl 00007F4274B9D75Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD21D2 second address: CD2231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 push 00000000h 0x00000007 push edi 0x00000008 call 00007F4274C4D0B8h 0x0000000d pop edi 0x0000000e mov dword ptr [esp+04h], edi 0x00000012 add dword ptr [esp+04h], 0000001Bh 0x0000001a inc edi 0x0000001b push edi 0x0000001c ret 0x0000001d pop edi 0x0000001e ret 0x0000001f jmp 00007F4274C4D0C7h 0x00000024 mov dword ptr [ebp+122D3A8Eh], ebx 0x0000002a push 00000000h 0x0000002c mov ebx, 290C5F10h 0x00000031 sbb edi, 349AD7EDh 0x00000037 push 00000000h 0x00000039 xor di, 6516h 0x0000003e xchg eax, esi 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD2231 second address: CD2235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD4278 second address: CD427E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD5235 second address: CD5239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD4462 second address: CD4468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD5239 second address: CD523D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD523D second address: CD52CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D3138h], ecx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F4274C4D0B8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c call 00007F4274C4D0C0h 0x00000031 mov di, 06BCh 0x00000035 pop ebx 0x00000036 mov ebx, 5D36CE3Fh 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007F4274C4D0B8h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 mov bx, si 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F4274C4D0C4h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD6230 second address: CD6237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD6237 second address: CD624A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4274C4D0B8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD542A second address: CD542F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD624A second address: CD624E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD542F second address: CD5450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4274B9D763h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD624E second address: CD6258 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD5450 second address: CD546B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D764h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD721A second address: CD721E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD721E second address: CD7222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD7222 second address: CD722C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD722C second address: CD7230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8203 second address: CD8209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA305 second address: CDA309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA309 second address: CDA382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F4274C4D0B8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, 52601F3Fh 0x00000029 pushad 0x0000002a sub ch, 00000017h 0x0000002d xor dword ptr [ebp+124464EAh], edi 0x00000033 popad 0x00000034 push 00000000h 0x00000036 sub di, 0EA6h 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F4274C4D0B8h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 0000001Dh 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 add dword ptr [ebp+122D2888h], eax 0x0000005d xchg eax, esi 0x0000005e push edi 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA382 second address: CDA386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA386 second address: CDA398 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F4274C4D0B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDA398 second address: CDA3A2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4274B9D756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD844E second address: CD8454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDB2B5 second address: CDB346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jng 00007F4274B9D756h 0x00000010 pop edx 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F4274B9D758h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f call 00007F4274B9D768h 0x00000034 mov ebx, eax 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F4274B9D758h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov dword ptr [ebp+1246FF73h], ebx 0x00000059 push 00000000h 0x0000005b mov ebx, 4C562B81h 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8454 second address: CD8458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDB346 second address: CDB34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDB34A second address: CDB35C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jbe 00007F4274C4D0B6h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDC3D2 second address: CDC3DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDB5FD second address: CDB609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDC3DF second address: CDC3FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4274B9D768h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDC488 second address: CDC48C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CDD5CD second address: CDD5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE0E0E second address: CE0E2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F4274C4D0BDh 0x0000000e pop esi 0x0000000f push edi 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEC0 second address: CEEEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4274B9D769h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEEEE0 second address: CEEEEA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CEE664 second address: CEE66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF615E second address: CF6167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF6167 second address: CF616B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CF616B second address: CF618E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4274C4D0B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4274C4D0C3h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD906 second address: CFD910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFC6C3 second address: CFC6D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4274C4D0C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFCC43 second address: CFCC51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F4274B9D756h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFCC51 second address: CFCC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFCC58 second address: CFCC72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D765h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD1BB second address: CFD1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFD344 second address: CFD37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4274B9D756h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F4274B9D764h 0x00000011 jmp 00007F4274B9D75Ch 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jg 00007F4274B9D756h 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01B3F second address: D01B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01B46 second address: D01B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01B4E second address: D01B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4274C4D0BFh 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F4274C4D0B6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01B6E second address: D01B78 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4274B9D756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01B78 second address: D01B7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01DFA second address: D01E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01E02 second address: D01E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0C2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0225E second address: D02270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F4274B9D756h 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D02270 second address: D022A1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jc 00007F4274C4D0B6h 0x00000016 jmp 00007F4274C4D0C4h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D022A1 second address: D022A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D02A97 second address: D02A9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D02A9D second address: D02AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D02AA8 second address: D02AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D02AB0 second address: D02AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D08C4B second address: D08C5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007F4274C4D0B6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0DB4D second address: D0DB63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4274B9D75Ch 0x00000009 jno 00007F4274B9D756h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCABB7 second address: CCABC1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4274C4D0BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCABC1 second address: CAB037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F4274B9D758h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D340Ah], eax 0x00000029 call dword ptr [ebp+122D399Ah] 0x0000002f jmp 00007F4274B9D766h 0x00000034 push eax 0x00000035 push edx 0x00000036 push esi 0x00000037 jmp 00007F4274B9D75Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB0E7 second address: CCB0F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4274C4D0B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB1BF second address: CCB1D1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4274B9D758h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB1D1 second address: CCB202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jng 00007F4274C4D0B6h 0x0000000e pop ebx 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F4274C4D0CBh 0x0000001c jmp 00007F4274C4D0C5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB202 second address: CCB243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F4274B9D756h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F4274B9D758h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 call 00007F4274B9D759h 0x0000002e js 00007F4274B9D764h 0x00000034 push eax 0x00000035 push edx 0x00000036 push ecx 0x00000037 pop ecx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB243 second address: CCB247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB247 second address: CCB2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 ja 00007F4274B9D75Eh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 pushad 0x00000013 jmp 00007F4274B9D769h 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b pop ecx 0x0000001c mov eax, dword ptr [eax] 0x0000001e jns 00007F4274B9D77Eh 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 js 00007F4274B9D764h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB2BD second address: CCB2C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB38B second address: CCB38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB38F second address: CCB393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB5C6 second address: CCB5CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB6E8 second address: CCB6EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB6EC second address: CCB742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, dword ptr [ebp+122D260Eh] 0x00000010 pushad 0x00000011 mov ch, bh 0x00000013 or edi, dword ptr [ebp+122D344Ah] 0x00000019 popad 0x0000001a push 00000004h 0x0000001c jmp 00007F4274B9D769h 0x00000021 nop 0x00000022 jmp 00007F4274B9D769h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB742 second address: CCB748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB748 second address: CCB75F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4274B9D763h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBB11 second address: CCBB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBB16 second address: CCBB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F4274B9D756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBDDD second address: CCBE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0BDh 0x00000009 popad 0x0000000a jmp 00007F4274C4D0C4h 0x0000000f popad 0x00000010 push eax 0x00000011 jbe 00007F4274C4D0CCh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBE0E second address: CCBE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274B9D75Eh 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jo 00007F4274B9D768h 0x00000014 push esi 0x00000015 jmp 00007F4274B9D760h 0x0000001a pop esi 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBE44 second address: CCBE5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBE5A second address: CCBE77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F4274B9D758h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBF57 second address: CCBF61 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4274C4D0BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C818FC second address: C8190F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4274B9D756h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E290 second address: D0E295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E433 second address: D0E44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F4274B9D761h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E44E second address: D0E454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E5BF second address: D0E5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4274B9D764h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E752 second address: D0E757 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0E899 second address: D0E89E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12FBD second address: D12FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D135C1 second address: D135CF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F4274B9D756h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D13730 second address: D1373B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1373B second address: D1374B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Bh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1430E second address: D1432E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0C5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1432E second address: D14342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274B9D760h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D14342 second address: D14348 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D14348 second address: D14364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4274B9D766h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D14364 second address: D14370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F4274C4D0B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D14370 second address: D14374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12B59 second address: D12B7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4274C4D0C5h 0x00000008 jns 00007F4274C4D0B6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D12B7C second address: D12B80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17320 second address: D1732D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4274C4D0B6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1732D second address: D17337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F4274B9D756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19B68 second address: D19B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19B6C second address: D19B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19B70 second address: D19B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19B76 second address: D19B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19B7F second address: D19B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19705 second address: D19709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19709 second address: D1972C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F4274C4D0BCh 0x0000000f jl 00007F4274C4D0B6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1972C second address: D19738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jns 00007F4274B9D756h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19738 second address: D1973C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1973C second address: D19742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19742 second address: D19758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c jp 00007F4274C4D0B6h 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D19758 second address: D19774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4274B9D756h 0x0000000a jnc 00007F4274B9D756h 0x00000010 jnc 00007F4274B9D756h 0x00000016 popad 0x00000017 push esi 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20704 second address: D20708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20708 second address: D20713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20713 second address: D20718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20718 second address: D2071D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1FF5A second address: D1FF62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20235 second address: D2024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274B9D765h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2024E second address: D20277 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4274C4D0CFh 0x00000008 jmp 00007F4274C4D0C7h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20277 second address: D2027B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2027B second address: D20281 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20281 second address: D20287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D20287 second address: D202A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F4274C4D0C2h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D202A2 second address: D202AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D247C3 second address: D247CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D24A6C second address: D24A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F4274B9D75Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D24D1B second address: D24D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0C2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D24D32 second address: D24D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB9BF second address: CCB9C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB9C5 second address: CCB9CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB9CA second address: CCB9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007F4274C4D0C0h 0x00000010 nop 0x00000011 mov edi, 6B2D7402h 0x00000016 push 00000004h 0x00000018 pushad 0x00000019 mov bx, 9380h 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jnp 00007F4274C4D0BCh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCB9FD second address: CCBA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CCBA01 second address: CCBA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F4274C4D0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2517E second address: D25184 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D28D11 second address: D28D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F4274C4D0C2h 0x0000000d push edi 0x0000000e jmp 00007F4274C4D0BCh 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D28D38 second address: D28D45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 ja 00007F4274B9D756h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2849F second address: D284A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D28A55 second address: D28A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F4274B9D767h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D28A77 second address: D28A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007F4274C4D0BBh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D28A8B second address: D28A90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D28A90 second address: D28A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D28A96 second address: D28A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2EA6F second address: D2EA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2ED0D second address: D2ED17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2ED17 second address: D2ED1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2ED1D second address: D2ED28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2ED28 second address: D2ED34 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2ED34 second address: D2ED3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4274B9D756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2F867 second address: D2F888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4274C4D0B6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d jmp 00007F4274C4D0BAh 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007F4274C4D0B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2F888 second address: D2F88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2FE55 second address: D2FE59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D30133 second address: D30145 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D30145 second address: D30155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F4274C4D0B6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D30155 second address: D30165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4274B9D756h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D30165 second address: D30169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D30169 second address: D3018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007F4274B9D758h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push ecx 0x00000011 jmp 00007F4274B9D762h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37EB5 second address: D37EEC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4274C4D0BAh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F4274C4D0BCh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F4274C4D0C7h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37EEC second address: D37EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37EF4 second address: D37EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37EFA second address: D37F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37F05 second address: D37F1F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F4274C4D0BDh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38095 second address: D3809F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4274B9D756h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3822D second address: D3825D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F4274C4D0BFh 0x00000010 pop edx 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F4274C4D0BAh 0x0000001a pushad 0x0000001b popad 0x0000001c push edi 0x0000001d pop edi 0x0000001e jp 00007F4274C4D0B8h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3825D second address: D38262 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38262 second address: D3827D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4274C4D0C0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3827D second address: D38281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D383ED second address: D383F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D389A9 second address: D389AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38B2F second address: D38B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F4274C4D0B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38B39 second address: D38B58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D765h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38B58 second address: D38B5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3E760 second address: D3E770 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4274B9D75Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3E770 second address: D3E794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0C2h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jc 00007F4274C4D0B6h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3E794 second address: D3E7AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D763h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3EB9B second address: D3EBB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F4274C4D0BCh 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ECF4 second address: D3ECF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ECF8 second address: D3ED02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ED02 second address: D3ED12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274B9D75Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3ED12 second address: D3ED30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4274C4D0C5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3EE56 second address: D3EE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3F224 second address: D3F22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3F22A second address: D3F241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4274B9D75Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3F3AE second address: D3F3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3F3B5 second address: D3F3C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F4274B9D756h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3F3C1 second address: D3F3D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274C4D0BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3F55B second address: D3F5A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 jmp 00007F4274B9D767h 0x0000000c jmp 00007F4274B9D75Eh 0x00000011 jne 00007F4274B9D756h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F4274B9D75Dh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3FB92 second address: D3FB9C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D485FB second address: D485FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D58612 second address: D58653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0C5h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4274C4D0C4h 0x00000015 jmp 00007F4274C4D0BDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5831D second address: D58321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5B12E second address: D5B136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5AAFA second address: D5AB01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5AC75 second address: D5AC97 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F4274C4D0B6h 0x00000012 jmp 00007F4274C4D0C0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5AC97 second address: D5ACA1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4274B9D756h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5F96A second address: D5F9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4274C4D0C9h 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4274C4D0C8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5F9A3 second address: D5F9AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5F9AD second address: D5F9BA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4274C4D0B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5F9BA second address: D5F9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6B2EE second address: D6B2F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6B2F7 second address: D6B2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D725D4 second address: D725DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D725DD second address: D725F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D761h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D725F2 second address: D725F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D725F8 second address: D72602 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F4274B9D756h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D72602 second address: D72606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71433 second address: D71437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D71437 second address: D7143D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D722DA second address: D722E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D722E2 second address: D722E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D722E7 second address: D722F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4274B9D756h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75C69 second address: D75C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F4274C4D0C5h 0x00000008 js 00007F4274C4D0B6h 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F4274C4D0BCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75C97 second address: D75C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8104A second address: D81052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81052 second address: D8105D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4274B9D756h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8105D second address: D81062 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90525 second address: D9053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4274B9D761h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9053E second address: D90542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99E4A second address: D99E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99E4E second address: D99E70 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4274C4D0B6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4274C4D0C4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99E70 second address: D99E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99E76 second address: D99E7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99E7A second address: D99E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F4274B9D756h 0x0000000e jp 00007F4274B9D756h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99E8E second address: D99E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D998C0 second address: D998C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3748 second address: DA374D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA6A42 second address: DA6A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4274B9D756h 0x0000000a jo 00007F4274B9D756h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4274B9D760h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F78D second address: D9F7B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4274C4D0C9h 0x00000009 jbe 00007F4274C4D0B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E480 second address: D9E486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E5E9 second address: D9E5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4274C4D0BEh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E5F5 second address: D9E613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4274B9D762h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E613 second address: D9E657 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F4274C4D0C1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4274C4D0BFh 0x00000013 push edi 0x00000014 jmp 00007F4274C4D0C9h 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E657 second address: D9E66A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4274B9D75Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E66A second address: D9E66E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E66E second address: D9E672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B1DBE0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B1DAEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CB85EC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CB6E10 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CCAD39 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B1DB94 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D4D7BE instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 7110000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9184F rdtsc

0_2_00C9184F

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 3156

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CF0752 GetSystemInfo,VirtualAlloc,

0_2_00CF0752

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C9184F rdtsc

0_2_00C9184F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B1B7D6 LdrInitializeThunk,

0_2_00B1B7D6

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: 9Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE8E3A GetSystemTime,GetFileTime,

0_2_00CE8E3A

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	261 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561688
Start date and time:	2024-11-24 05:10:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4853558413886265
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'741'760 bytes
MD5:	2a14be5464af09ff5e0d667dbb41e756
SHA1:	5e3e9e8ee8c79a1c3bf51170f12f72ca84e851f0
SHA256:	e90e0d0df0140e53ff17d719d1d0343cd5f51eaaae614509338461beb5d20944
SHA512:	9087753d84f871c42f6520182992a6b08b99ba6ae36e042f39db7a1d4429d3fe665cbd1cbfae7a990df58161136c6b2497dd0e70ce31dcdf356df5b06183ee4a
SSDEEP:	49152:sktikSuhCiz3cAFmB6p1qr9u+uhR90h2pomnDJ:sks1YCiz3cAFmB6etuho2pL
TLSH:	C8C53B92750B71CFD88E17789527CD82996D43B90F2648D3E86C79FE6E63CC211B6C28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@.. ...`....@.. ..............................%*...`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6a4000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F42748C8A4Ah
lfs ebp, dword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	525f709cacd99aeeffd23f64cf5ead4c	False	0.9322916666666666	OpenPGP Public Key	7.790921165340799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gvbjqmpu	0xa000	0x298000	0x297600	4c560dc945937f8e0cba999e6d175387	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pcqkcyiw	0x2a2000	0x2000	0x400	6147aa86e436c5d32a3b90a6e1029237	False	0.740234375	data	5.757298100982861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2a4000	0x4000	0x2200	8f5edd2f7311912455d9c6137c895d36	False	0.06686580882352941	DOS executable (COM)	0.6835113880787812	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	23:11:13
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xb10000
File size:	2'741'760 bytes
MD5 hash:	2A14BE5464AF09FF5E0D667DBB41E756
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.7%
Dynamic/Decrypted Code Coverage:	3.3%
Signature Coverage:	5.3%
Total number of Nodes:	360
Total number of Limit Nodes:	21

Executed Functions

Function 00CF0752 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-117B5FEC), ref: 00CF075E
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00CF07BF

Memory Dump Source

Source File: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 8133b710f08717ccc7353ca7c338833e5b0a04b9d8c439e1d35e5742044e50aa
Instruction ID: 8355fa8ffb26b2db36e7f2147d3e7734e5a156122610f068aaaf80b7bee3529c
Opcode Fuzzy Hash: 8133b710f08717ccc7353ca7c338833e5b0a04b9d8c439e1d35e5742044e50aa
Instruction Fuzzy Hash: EC411371E0420BADE765DF608846FA676ACFB84B41F104162B607D98C3E67095D49BD1

Function 00C9184F Relevance: 1.6, APIs: 1, Instructions: 120
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00C9184F

Memory Dump Source

Source File: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d28a8c5bade7cffc44ae4884fa38a888e1f62a289a72919b54691b19fd48df63
Instruction ID: 5d4eb23da8ce87375d923b2777e3981de39fc6e56d1d01284a61ea2842665252
Opcode Fuzzy Hash: d28a8c5bade7cffc44ae4884fa38a888e1f62a289a72919b54691b19fd48df63
Instruction Fuzzy Hash: 634156B250C600DFE302AF2AD8856B9BBE4EF88710F16482DE6C487645E6354484CB97

Function 00B1B7D6 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

!!iH, xrefs: 00B1B946

Memory Dump Source

Source File: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID:
String ID: !!iH
API String ID: 0-3430752988
Opcode ID: 496f08e7352effe1be7b4071295d1768490a3dc6b1672ef378272142aa720233
Instruction ID: e113626a2f3f1d4c91af8f581f393f3715ddcfbee85c6f4d7bbaeb85b7d595d7
Opcode Fuzzy Hash: 496f08e7352effe1be7b4071295d1768490a3dc6b1672ef378272142aa720233
Instruction Fuzzy Hash: E0E0C232104889CAEB169F308A01FDA7A9EEB44B01FE00194FA418AE45CF3D4D52C795

Function 00CE63C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 00CE64D1
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00CE64E5

Strings

.dll, xrefs: 00CE6408
.exe, xrefs: 00CE642C
1002, xrefs: 00CE649B

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: e583ae4eba084bf4d6e974bc46afaea889078b9d33f1d8e01c840a172c81334e
Instruction ID: 272e88e7dcb4da0d762ec950b9cd8675ef27b548c32c85d5c370a5a1f868b7ed
Opcode Fuzzy Hash: e583ae4eba084bf4d6e974bc46afaea889078b9d33f1d8e01c840a172c81334e
Instruction Fuzzy Hash: E131F23141428AFFDF25EF52DA05AAD7F74FF28380F108025F912560A1C771DAA0EB61

Function 00CE68C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,00CE6858,?,00000000,00000000), ref: 00CE6983
GetModuleHandleA.KERNEL32(00000000,?,?,?,00CE6858,?,00000000,00000000), ref: 00CE6991

Strings

.dll, xrefs: 00CE68F9

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: fb8eba6bfd092ce0d7cfb73c0300ab7bdbdf4802d8afb898479ecd894e0dff05
Instruction ID: eafc5e98b087654365f82e51f7354bc2c89ffaad1410fb62fa7bbe11182aa765
Opcode Fuzzy Hash: fb8eba6bfd092ce0d7cfb73c0300ab7bdbdf4802d8afb898479ecd894e0dff05
Instruction Fuzzy Hash: C411523411878AEBDF34DF27D80D769BBB0BF243C5F144221B811454A6CBB5A6E0DA92

Function 00CE9220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00F5122C,-117B5FEC), ref: 00CE9299
GetFileAttributesA.KERNEL32(00000000,-117B5FEC), ref: 00CE92A7

Strings

@, xrefs: 00CE924C

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 4bf587257425adee21db6cd85459b04ce9264712cd8c236dffb679eb3f3a1fe4
Instruction ID: 481bf3144850dfd33f55482e553f3264bdbeebd44477673a6dcea9e5ccecec24
Opcode Fuzzy Hash: 4bf587257425adee21db6cd85459b04ce9264712cd8c236dffb679eb3f3a1fe4
Instruction Fuzzy Hash: 79018CB1544685FADF219F66C909B9CBF70EF45348F208120EA12AA0A1C3B18B91EB40

Function 00CE52A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 00CE5302

Strings

\\?\, xrefs: 00CE535D

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: bf54d257a8d4aa238b567e6a497f92c3c11c7d0749d3a8329f0bf334f597ccc9
Instruction ID: 27b89b5899264ef07a5dd7af625fdfddb03b7707a0fed416060a332550dd84c4
Opcode Fuzzy Hash: bf54d257a8d4aa238b567e6a497f92c3c11c7d0749d3a8329f0bf334f597ccc9
Instruction Fuzzy Hash: 24312A71A00689FFDF218F96CD09B9EB77AFF08748F004154F910A60A0D7B29A65DF64

Function 00CE69AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CE4CED: GetCurrentThreadId.KERNEL32 ref: 00CE4CFC

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00CE6A13

Strings

.dll, xrefs: 00CE69D0

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CurrentHandleModuleThread
String ID: .dll
API String ID: 2752942033-2738580789
Opcode ID: bcd0b1653ea54ac7715c85c8fa86b71aba8689ca40923282dc86456f92117364
Instruction ID: 5d27160466cf12a8158fc9a00e30aad1363bc75a0ad0d3b872ecb799f7274bcb
Opcode Fuzzy Hash: bcd0b1653ea54ac7715c85c8fa86b71aba8689ca40923282dc86456f92117364
Instruction Fuzzy Hash: 2AF0B476510285AFDF10DF56C949BAD3BB4FF28384F118020FE1596052D771C660FB21

Function 00CE943C Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00F5122C,?,?,-117B5FEC,?,?,?,-117B5FEC,?), ref: 00CE94EE

Part of subcall function 00CE93EE: IsBadWritePtr.KERNEL32(?,00000004), ref: 00CE93FC

CreateFileA.KERNEL32(?,?,?,-117B5FEC,?,?,?,-117B5FEC,?), ref: 00CE950E

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: 807f51de7a4115f1f60f859104e3ab621c3faa22e55cfed795bdaf70ecb3b261
Instruction ID: a7aad7d9cad88782aabc101c207b1e3e9bbda3144a59a1705a6fc9dac6fca855
Opcode Fuzzy Hash: 807f51de7a4115f1f60f859104e3ab621c3faa22e55cfed795bdaf70ecb3b261
Instruction Fuzzy Hash: 2411263200428AFBDF229FA6DD09BAD3B72FF49344F148115F915640A1C3768AB2FB91

Function 00CE8DA8 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CE4CED: GetCurrentThreadId.KERNEL32 ref: 00CE4CFC

GetCurrentProcess.KERNEL32(-117B5FEC), ref: 00CE8DB5
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CE8E1B

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessThread
String ID:
API String ID: 3748180921-0
Opcode ID: fccf7302089c0105de067956b115c23d539cabd31f9ab0822ac34e64448668e5
Instruction ID: 2b28af25afb20795af3888a6bab75f073c9dd27bfbf1d12845249aab4e5671e1
Opcode Fuzzy Hash: fccf7302089c0105de067956b115c23d539cabd31f9ab0822ac34e64448668e5
Instruction Fuzzy Hash: 9001193A10018ABB8F22AFA6CC09DAE3B3ABF583547144511FA1992015CB36D275EB61

Function 00CF117E Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fe5a85924b267a5ff0b326c06c427380ced4d7665dcac3fe905c82c9f35fe8
Instruction ID: 66ef26d1403ddacf94b68413c76a84fce526673d9810bd78ebc17f4a939b0e82
Opcode Fuzzy Hash: a4fe5a85924b267a5ff0b326c06c427380ced4d7665dcac3fe905c82c9f35fe8
Instruction Fuzzy Hash: 19416A71A00109EFDB65CF94C944BBE77B1FF44315F288055EE12AA591C370AE94EB52

Function 00CE7427 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00CE74DC

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 157171dd12ba40ad1f40173f107f83bd629c5ac1488c30fb0f228bf47e3db838
Instruction ID: 652ff50dd5c0664f613671230e95285e82f86d1535fb07e14c70f72ad98451ab
Opcode Fuzzy Hash: 157171dd12ba40ad1f40173f107f83bd629c5ac1488c30fb0f228bf47e3db838
Instruction Fuzzy Hash: 7631DE71504244FAEF209FA6DC49F9EBBB8FF08324F208269F515AA1C1D7319A51EF10

Function 00CE6C43 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00CE6CC5

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f3771c75e4f6d7f3996fa1c7add82904bec96dc1747987ecb5433d372c94ea96
Instruction ID: dbcd625c6335a16d2278916121307f0e28ffe7b1878b978cb9690a8fa71ba3cb
Opcode Fuzzy Hash: f3771c75e4f6d7f3996fa1c7add82904bec96dc1747987ecb5433d372c94ea96
Instruction Fuzzy Hash: 0331F071600205BAEB308F66DC46F99B7B8FF14764F308329F621AA0D1C3B2A641DB54

Function 00CF0ECB Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00CF0F78

Memory Dump Source

Source File: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 3461fd23f8926dc974d0a9868abe8d79e6c6b9b213008bc20999482732c99905
Instruction ID: 08b7bffcf5a3c93c3e11de61ecbf407ae8b493ac2fd5441f39188910868dda44
Opcode Fuzzy Hash: 3461fd23f8926dc974d0a9868abe8d79e6c6b9b213008bc20999482732c99905
Instruction Fuzzy Hash: C411DA71A0132DDFEBB44A488C45FFBB76CEF44B50F304095EA95E6043D7709E818AA2

Function 04F50D41 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04F50DCD

Memory Dump Source

Source File: 00000000.00000002.1995018068.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: ae0b29107cba9dbdc7457d4a065388a3301e4e1a7bd789719ab981ffa0bdf9df
Instruction ID: d5384494b2b99ffd6c672ebe0f5e5c88ea6e7b4b1e911b61dd8b939bec0e475a
Opcode Fuzzy Hash: ae0b29107cba9dbdc7457d4a065388a3301e4e1a7bd789719ab981ffa0bdf9df
Instruction Fuzzy Hash: 062133B6D00208CFCB10CF99D485BDEFBF1FB88320F14822AD908AB254DB34A545CBA4

Function 04F50D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04F50DCD

Memory Dump Source

Source File: 00000000.00000002.1995018068.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 72808a192b4a19ebaef08b38ab257b8ae307fcb533503e3ed05f574449e2b990
Instruction ID: 592549d5ffd37ff81a466bbf5639bc87b054452a3636328c3a540a9693d75642
Opcode Fuzzy Hash: 72808a192b4a19ebaef08b38ab257b8ae307fcb533503e3ed05f574449e2b990
Instruction Fuzzy Hash: 642113B6C01218DFCB50CF99D885ADEFBF4EB88320F14856AD908AB214DB74A541CBA5

Function 04F51510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04F51580

Memory Dump Source

Source File: 00000000.00000002.1995018068.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 9340dc9fb38099c7debd2940279967ee56657976b37b0c6f64f521a7a195eeaf
Instruction ID: a00960bc6afbb1710a78023f499f345e5400504573a32e965d0c946acb2b82ea
Opcode Fuzzy Hash: 9340dc9fb38099c7debd2940279967ee56657976b37b0c6f64f521a7a195eeaf
Instruction Fuzzy Hash: 6011F6B1D00249DFDB10CF9AC584BDEFBF4EB48320F108029E959A7250D378A644CFA5

Function 04F51509 Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04F51580

Memory Dump Source

Source File: 00000000.00000002.1995018068.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 8fcf2536153562a3455801b35d767ba6deebe112b555b761beb57404a3cf7d02
Instruction ID: b3cae99b7f6c55205e8cb423008fe66fe47196b467b82aedb24c73e1ea417791
Opcode Fuzzy Hash: 8fcf2536153562a3455801b35d767ba6deebe112b555b761beb57404a3cf7d02
Instruction Fuzzy Hash: BE11E4B5D00249CFDB10CF9AC584BDEFBF4AB48320F10842AD959A7250D778A644CFA5

Function 00CE9F74 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE4CED: GetCurrentThreadId.KERNEL32 ref: 00CE4CFC

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-117B5FEC), ref: 00CE9FFB

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CurrentFileThreadView
String ID:
API String ID: 1949693742-0
Opcode ID: 0fa1559dd0a597efc458019d1239f047a95f1be9b622ef028ec99f39b69bc703
Instruction ID: 3ac93d721e1ac5f69144b462651b5dc08eea249bdc8e867256d7e24e37246d17
Opcode Fuzzy Hash: 0fa1559dd0a597efc458019d1239f047a95f1be9b622ef028ec99f39b69bc703
Instruction Fuzzy Hash: DC11B33250018AEFCF12AFA6CC09DDE3B66BF59344B104411FA1296025C736D572FB62

Function 00CE9D5C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 1350520cb8d1b774543a54363ed4ad321f8161ae49510580a8a4489897db77f7
Instruction ID: 8a6c522a582e646a674d15872aa7d7b8a4d6cd5328ab7cfc4d866a90d35380ef
Opcode Fuzzy Hash: 1350520cb8d1b774543a54363ed4ad321f8161ae49510580a8a4489897db77f7
Instruction Fuzzy Hash: 31112D365042DAEBCF12AFA6CC09E9E7B75EF48344F104111FA1196061C775CB71EB50

Function 04F51301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04F51367

Memory Dump Source

Source File: 00000000.00000002.1995018068.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 3db23d2886e9fde24abe39949d83f1dd16f6c7c56b5eebc5ce5d28f7bfc0a029
Instruction ID: d81adc261a0bed225c8e7ca504fc713f1ebc9ae51552ce664c5f26bc2de118a9
Opcode Fuzzy Hash: 3db23d2886e9fde24abe39949d83f1dd16f6c7c56b5eebc5ce5d28f7bfc0a029
Instruction Fuzzy Hash: 431155B1900249CFDB10CF9AD584BDEFBF4EF48324F24842AD558A3650D778A585CFA5

Function 04F51308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04F51367

Memory Dump Source

Source File: 00000000.00000002.1995018068.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f50000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 5f31b6c35002305c9c93e13f07cf7c2775a75f198587d757a2a0fe8babeb81aa
Instruction ID: 079f1c199824ec1b5a02f3b3e5891dcb1c12bd9be41d4b8e76245825034fde47
Opcode Fuzzy Hash: 5f31b6c35002305c9c93e13f07cf7c2775a75f198587d757a2a0fe8babeb81aa
Instruction Fuzzy Hash: 971145B1C00249CFDB10CF9AC545BDEFBF8EB48320F20846AD958A3650D778A984CFA5

Function 00CE9640 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE4CED: GetCurrentThreadId.KERNEL32 ref: 00CE4CFC

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-117B5FEC,?,?,00CE736F,?,?,00000400,?,00000000,?,00000000), ref: 00CE96AC

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CurrentFileReadThread
String ID:
API String ID: 2348311434-0
Opcode ID: 2eb9071e0ac0bdbc5e54af847dbc8d954f294af03124811cf4bba421ac599097
Instruction ID: d67136c1a14fad4125d2001f58f649a6ff5113fff9c9f5d9359541ef0467006a
Opcode Fuzzy Hash: 2eb9071e0ac0bdbc5e54af847dbc8d954f294af03124811cf4bba421ac599097
Instruction Fuzzy Hash: 6AF0C93210018AABCF125FA6CD09EDE3F6AFF59744F004022FA158A021D732C5A1EB61

Function 00CA33E9 Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00CA3BD6

Memory Dump Source

Source File: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 49af38d412ee8c1bdc381f531527d488e17254f0dff2f2221638d4deb20a5057
Instruction ID: 67cad1a3b678e6400ad0a42065ff742d974ce064d5c06ee3021721bee5b4265a
Opcode Fuzzy Hash: 49af38d412ee8c1bdc381f531527d488e17254f0dff2f2221638d4deb20a5057
Instruction Fuzzy Hash: 70F0FFB151D705EFC3002F2AD88626EF7E4FF15310F56492EE6C282680D63544809F47

Function 00B1EB0B Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00B1EB0D

Memory Dump Source

Source File: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2dd0a5ce6a2c612c2da440d41e344615e3475d60ebbe0e3731a51366bda5320
Instruction ID: 22675a50650b1eb58735296f32437a35b43b8a4c9361006114631db22d2c4b74
Opcode Fuzzy Hash: a2dd0a5ce6a2c612c2da440d41e344615e3475d60ebbe0e3731a51366bda5320
Instruction Fuzzy Hash: 5D11597240C3199FC3402E68ECC86FB7AE8DF05720F694A3AAA61D2E40D1619990D296

Function 00B1E475 Relevance: 1.3, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00B1EEFE

Memory Dump Source

Source File: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aea93e07ce3b0554554877026480e4b925d2b6fbfece6ddd13a319aa13d82a33
Instruction ID: f2dc1ffe91f5412e5c65d4118bfa0167839201665b9def1eadec2c799d0d7874
Opcode Fuzzy Hash: aea93e07ce3b0554554877026480e4b925d2b6fbfece6ddd13a319aa13d82a33
Instruction Fuzzy Hash: 490180B2508604DBD7006F08D8847BE7BE4EF58710F69466CFEE147780E635ACA4DA83

Function 00CE4EBE Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 00CE4F22

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 31f8fe9fedc0143e979395b568fa18d7ac11fa36239d32552ff4ca19cf5c3dc1
Instruction ID: 4bf01a2b3b71ed3c1114b2b00853208dfcc508d9ca1de840a072a867b2cbac25
Opcode Fuzzy Hash: 31f8fe9fedc0143e979395b568fa18d7ac11fa36239d32552ff4ca19cf5c3dc1
Instruction Fuzzy Hash: 0601E432A00549FFCF119FA6CC04D9EBBBAFF48740F0051A1B914A5060D7328A61EF60

Function 00CF0AF5 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00CF0AF1,?,?,00CF07F7,?,?,00CF07F7,?,?,00CF07F7), ref: 00CF0B15

Memory Dump Source

Source File: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a40ca083aebc60df8ade7cca91ccc35d08d0a9e548efa0130ccedfedbeef5dc0
Instruction ID: ba71dc05cfe4a40bb543a3a1ecfe0c71d87b98bb95ffdee42c5182a8be115564
Opcode Fuzzy Hash: a40ca083aebc60df8ade7cca91ccc35d08d0a9e548efa0130ccedfedbeef5dc0
Instruction Fuzzy Hash: B5F0F4B1A0420AEFDB25CF04CD05B69BBF0FF85B62F208064F54AAB592D3B099C0CB51

Function 00CE7A41 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00CE4CED: GetCurrentThreadId.KERNEL32 ref: 00CE4CFC

CloseHandle.KERNELBASE(00CE7404,-117B5FEC,?,?,00CE7404,?), ref: 00CE7A7F

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CloseCurrentHandleThread
String ID:
API String ID: 3305057742-0
Opcode ID: 6931c936bca6521921d74d4dfc6b59a8fb9aa5adb9778b6e320dd7a6f4e0bfbb
Instruction ID: e269342528d8eaa23948a3180d98867c7af5e318c4d28006534b78d9e01cd374
Opcode Fuzzy Hash: 6931c936bca6521921d74d4dfc6b59a8fb9aa5adb9778b6e320dd7a6f4e0bfbb
Instruction Fuzzy Hash: 78E086766141C7A6CE207FBBDC0DE9E6F68AF947847106231F102C6045DB75C2A2F361

Function 00CE6B06 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00CE4B8C,?,?), ref: 00CE6B0C

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d6c1acfacd3ad734a15d98b8ab6c8456a58aed851bfb2b143501a44688e2eb59
Instruction ID: 63c4397d58b14e4dd71e98406cf6080575d6187279244ce8faddd5b5681913ec
Opcode Fuzzy Hash: d6c1acfacd3ad734a15d98b8ab6c8456a58aed851bfb2b143501a44688e2eb59
Instruction Fuzzy Hash: 14B0923100050ABBCF41BF92EC0684DBF79BF253A8B10C520B90B54021CB72E961AB95

Non-executed Functions

Function 00CE8E3A Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE4CED: GetCurrentThreadId.KERNEL32 ref: 00CE4CFC

GetSystemTime.KERNEL32(?,-117B5FEC), ref: 00CE8E6F
GetFileTime.KERNEL32(?,?,?,?,-117B5FEC), ref: 00CE8EB2

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: Time$CurrentFileSystemThread
String ID:
API String ID: 2191017843-0
Opcode ID: 1fb025a36c36a545070ee02dd74fb2e54928f082140e6e88a72e9c30c861ceb3
Instruction ID: c69878498980b9cb8d3a8605a654d242de6da3e00ac4fde31a6446de17ee6d81
Opcode Fuzzy Hash: 1fb025a36c36a545070ee02dd74fb2e54928f082140e6e88a72e9c30c861ceb3
Instruction Fuzzy Hash: 2101243660058AFBCF21AF2ADC08D9F7F79FF89711B004122F51586160CB72D9A1EB60

Function 00CE9CF8 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00CE9D3F

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: f021d3d82b6c7417df950221f61ba2f768a8986944c3e6afbf961c95368f94c5
Instruction ID: acaf2fbf78a3fb052267ebb0a378e42d701042099b06ce9f09067272960868b3
Opcode Fuzzy Hash: f021d3d82b6c7417df950221f61ba2f768a8986944c3e6afbf961c95368f94c5
Instruction Fuzzy Hash: 29F0F83260024EFFCF01CF95C9489CC7BB1FF18345B108125FA1596110C3759A61EF40

Function 00B25A51 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73632c9b4654f419d700a5449d88a689c9cb9158e95c833094c96d68ecef4db7
Instruction ID: 058e790d4b1503cfee0b0e387657b141b8286e54a1a8f66f934c5d173eef90bd
Opcode Fuzzy Hash: 73632c9b4654f419d700a5449d88a689c9cb9158e95c833094c96d68ecef4db7
Instruction Fuzzy Hash: 8051CEB3F512254BF3984D68CC983A27683DB95310F2F82788E89AB7C5DCBE5D095384

Function 00C91B62 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9805b364a8cdc49c194ec7c1ab7803298c043de0485c75b427d0eb95c347160c
Instruction ID: 32e6a6bd4ef9da897515609b23e7a55f642a4339db63d654c877d16ab38478c5
Opcode Fuzzy Hash: 9805b364a8cdc49c194ec7c1ab7803298c043de0485c75b427d0eb95c347160c
Instruction Fuzzy Hash: 80418EB351C304AFE701AF59EC81ABAFBE9FB59320F16492DE6C4D7610E67158408B93

Function 00C91B88 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb220b9ff276c133576318158802b3e10e9df3f16773cf7e23857dd9a2b8fd4c
Instruction ID: a05ccef5fa20515f50963dfd4ce599a199409c150411707f8fe6e15e8917cfa7
Opcode Fuzzy Hash: fb220b9ff276c133576318158802b3e10e9df3f16773cf7e23857dd9a2b8fd4c
Instruction Fuzzy Hash: 59418CB250C304AFE701AF29EC816BAFBE9FF58324F06492DE6C487710D67158408B93

Function 00CE8370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00CE4CED: GetCurrentThreadId.KERNEL32 ref: 00CE4CFC

Part of subcall function 00CE93EE: IsBadWritePtr.KERNEL32(?,00000004), ref: 00CE93FC

wsprintfA.USER32 ref: 00CE83B6
LoadImageA.USER32(?,?,?,?,?,?), ref: 00CE847A

Strings

%8x, xrefs: 00CE83B1, 00CE83B4
%8x, xrefs: 00CE8444, 00CE8477

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: CurrentImageLoadThreadWritewsprintf
String ID: %8x$%8x
API String ID: 439219941-2046107164
Opcode ID: fd0e887ec1c761b374a28ccbd15744e191a2b1043b5d4825c49bd845f6d8d41d
Instruction ID: 49eea56ccd10f928d078377ed6063f11934edb8d0b7e9e39a4f9f7253c422490
Opcode Fuzzy Hash: fd0e887ec1c761b374a28ccbd15744e191a2b1043b5d4825c49bd845f6d8d41d
Instruction Fuzzy Hash: DD31363190024AFFCF119F95DC49EEEBB79FF88710F108125FA15A61A0CB719A61EB60

Function 00CE8F41 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00F5122C,00004020,00000000,-117B5FEC), ref: 00CE902E

Strings

@, xrefs: 00CE8F6D

Memory Dump Source

Source File: 00000000.00000002.1993284961.0000000000CDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1992909163.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992921777.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992935327.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992948347.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1992963019.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993062025.0000000000C7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993077819.0000000000C80000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C8F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993094858.0000000000C9A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993125756.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993139390.0000000000CA5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993154364.0000000000CA6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993168260.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993183970.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993196727.0000000000CB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993214034.0000000000CC8000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993228084.0000000000CC9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993240862.0000000000CCB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993252975.0000000000CCC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993267855.0000000000CD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993299909.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993313658.0000000000CEF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993330752.0000000000CFF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993346256.0000000000D09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993360273.0000000000D11000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993374023.0000000000D15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993386845.0000000000D16000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993402245.0000000000D1A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993416582.0000000000D23000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993429925.0000000000D26000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993443730.0000000000D27000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993458622.0000000000D29000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993472958.0000000000D31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993487520.0000000000D35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993501403.0000000000D36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993518922.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993533196.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993547893.0000000000D42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993567393.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993580306.0000000000D5F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993605105.0000000000D99000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993619863.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000D9C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993633700.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993663441.0000000000DB2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1993675928.0000000000DB4000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 434309f36618845c5b51407879f2a706fa4af634f1166844328813052eeca3a2
Instruction ID: 4bd40e8dbf3cfcd85263488540419ee2d93cd9a7ec4e2021505f2c13c375cf3d
Opcode Fuzzy Hash: 434309f36618845c5b51407879f2a706fa4af634f1166844328813052eeca3a2
Instruction Fuzzy Hash: D031CCB1504749EFDF24CF46C848B9EBBB1FF08300F008219E856676A0C3B5AAA4DB80

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 6388, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 6388, Parent PID: 2580COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 00CF0752 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 00C9184F Relevance: 1.6, APIs: 1, Instructions: 120
libraryCOMMON

Function 00CE63C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 00CE68C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 00CE9220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 00CE52A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 00CE69AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 00CE943C Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 00CE8DA8 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 00CF117E Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Function 00CE7427 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 00CE6C43 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 00CF0ECB Relevance: 1.6, APIs: 1, Instructions: 65
COMMON