Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561765
MD5:	2f405290a54895095dba7ff04d7a5953
SHA1:	e03dcaf483ba02c2145b3805d50f3c9d6fd50c7a
SHA256:	4588027f22769e9207b98bc72c37b976154f0d0b6f58e2a13991787418f1544c
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7844 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2F405290A54895095DBA7FF04D7A5953)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 44%
Source: file.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F5FA3 CryptVerifySignatureA,

0_2_006F5FA3

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1420061486.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 006F0F98 appears 31 times

Source: file.exe, 00000000.00000000.1409140817.0000000000516000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.1554348073.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	ReversingLabs: Detection: 44%
Source: file.exe	Virustotal: Detection: 54%

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2813440 > 1048576

Source: file.exe

Static PE information: Raw size of pypdcipy is bigger than: 0x100000 < 0x2a8e00

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.510000.0.unpack :EW;.rsrc:W;.idata :W;pypdcipy:EW;mkjngwpv:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2b949c should be: 0x2af3cf

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: pypdcipy
Source: file.exe	Static PE information: section name: mkjngwpv
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069E942 push ebx; mov dword ptr [esp], 757FA430h	0_2_0069E960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069E942 push eax; mov dword ptr [esp], ecx	0_2_0069E989
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00522042 push edx; mov dword ptr [esp], edi	0_2_0052406B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051E845 push 1BC6BE8Bh; mov dword ptr [esp], edi	0_2_0051E85F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00521017 push edi; mov dword ptr [esp], 7EEC8ADDh	0_2_00521CF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069B02F push 784376C9h; mov dword ptr [esp], edi	0_2_0069B03D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069B02F push 7649646Fh; mov dword ptr [esp], ebp	0_2_0069B050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00523033 push 0DDC5A60h; mov dword ptr [esp], eax	0_2_00523056
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069B80F push 007769DAh; mov dword ptr [esp], edx	0_2_0069B890
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00522838 push esi; mov dword ptr [esp], 7FF7369Dh	0_2_00522842
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A1804 push edi; ret	0_2_006A1813
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005218D2 push ebx; mov dword ptr [esp], edi	0_2_00524193
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051E8C2 push esi; mov dword ptr [esp], ecx	0_2_0051EA18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A18F6 push eax; ret	0_2_006A1905
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F0CC push eax; mov dword ptr [esp], 3FD97A52h	0_2_0069F100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F0CC push esi; mov dword ptr [esp], edx	0_2_0069F108
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F0CC push ecx; mov dword ptr [esp], 1F7FF02Bh	0_2_0069F13E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F0CC push 41AC263Ah; mov dword ptr [esp], ebp	0_2_0069F203
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A58DC push eax; mov dword ptr [esp], eax	0_2_006A594E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A58DC push eax; mov dword ptr [esp], eax	0_2_006A5970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A58DC push eax; mov dword ptr [esp], eax	0_2_006A59D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051F090 push 0E900C01h; mov dword ptr [esp], ecx	0_2_0051F09D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A18A4 push edx; ret	0_2_006A18B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F0B3 push eax; mov dword ptr [esp], 3FD97A52h	0_2_0069F100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F0B3 push esi; mov dword ptr [esp], edx	0_2_0069F108
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F0B3 push ecx; mov dword ptr [esp], 1F7FF02Bh	0_2_0069F13E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F0B3 push 41AC263Ah; mov dword ptr [esp], ebp	0_2_0069F203
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074389D push 32B99A40h; mov dword ptr [esp], esi	0_2_007438BA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005208B9 push 2A91EFB0h; mov dword ptr [esp], edx	0_2_00521B37
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F96A push edx; mov dword ptr [esp], ebp	0_2_0069FAC4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069F96A push 1E9BFF71h; mov dword ptr [esp], edx	0_2_0069FAF9

Source: file.exe

Static PE information: section name: entropy: 7.757169738716121

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 692747 second address: 69274B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69E6AD second address: 69E6B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69EA88 second address: 69EA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jc 00007F921539ABF6h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69ED97 second address: 69EDAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B851h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69EDAC second address: 69EDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F921539ABFFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69EDC7 second address: 69EDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69EDCB second address: 69EDCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69EF35 second address: 69EF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69EF3B second address: 69EF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 jne 00007F921539ABF6h 0x0000000c pop edi 0x0000000d pop edx 0x0000000e push edi 0x0000000f js 00007F921539ABF8h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69EF56 second address: 69EF5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1640 second address: 6A1679 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F921539AC06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F921539AC05h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1679 second address: 6A167F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A167F second address: 6A1683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A16B9 second address: 6A1735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F921527B84Bh 0x0000000d jmp 00007F921527B853h 0x00000012 popad 0x00000013 nop 0x00000014 mov edx, dword ptr [ebp+122D2C9Ch] 0x0000001a push 00000000h 0x0000001c mov ecx, ebx 0x0000001e call 00007F921527B849h 0x00000023 jmp 00007F921527B859h 0x00000028 push eax 0x00000029 jne 00007F921527B85Eh 0x0000002f mov eax, dword ptr [esp+04h] 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1735 second address: 6A1739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1739 second address: 6A1772 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f jo 00007F921527B846h 0x00000015 pop eax 0x00000016 pushad 0x00000017 jbe 00007F921527B846h 0x0000001d jmp 00007F921527B850h 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push esi 0x0000002d pop esi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1772 second address: 6A1785 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539ABFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1785 second address: 6A17BD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F921527B848h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov ecx, 528BA7FCh 0x00000012 push 00000003h 0x00000014 clc 0x00000015 push 00000000h 0x00000017 jnc 00007F921527B84Ch 0x0000001d movzx esi, cx 0x00000020 push 00000003h 0x00000022 sub dword ptr [ebp+122D219Bh], esi 0x00000028 push B252FD61h 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 push edi 0x00000031 pop edi 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A17BD second address: 6A1825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539AC05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F921539ABFFh 0x0000000e popad 0x0000000f add dword ptr [esp], 0DAD029Fh 0x00000016 mov dword ptr [ebp+122D28EEh], esi 0x0000001c lea ebx, dword ptr [ebp+12457536h] 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F921539ABF8h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c mov dx, bx 0x0000003f mov ecx, dword ptr [ebp+122D2A3Ah] 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1825 second address: 6A182C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A18E2 second address: 6A1934 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F921539ABF8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 jmp 00007F921539ABFBh 0x00000028 push 00000000h 0x0000002a mov edi, eax 0x0000002c call 00007F921539ABF9h 0x00000031 push eax 0x00000032 push edx 0x00000033 jno 00007F921539ABFCh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1934 second address: 6A194C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B84Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A194C second address: 6A1952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1952 second address: 6A1956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1956 second address: 6A1977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F921539AC02h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1977 second address: 6A1985 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1985 second address: 6A1989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1989 second address: 6A1993 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1993 second address: 6A1997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1997 second address: 6A19AB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A19AB second address: 6A19AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A19AF second address: 6A19F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B852h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [ebp+122D1E62h], esi 0x00000011 push 00000003h 0x00000013 mov dword ptr [ebp+122D28EEh], edx 0x00000019 push 00000000h 0x0000001b mov edi, dword ptr [ebp+122D258Fh] 0x00000021 push 00000003h 0x00000023 mov dword ptr [ebp+122D28DAh], esi 0x00000029 call 00007F921527B849h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 pushad 0x00000032 popad 0x00000033 pop eax 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A19F4 second address: 6A19FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A19FB second address: 6A1A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 je 00007F921527B84Ch 0x0000000f jnc 00007F921527B846h 0x00000015 pop eax 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push esi 0x0000001b jnp 00007F921527B850h 0x00000021 jmp 00007F921527B84Ah 0x00000026 pop esi 0x00000027 mov eax, dword ptr [eax] 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F921527B856h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1A41 second address: 6A1A5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jo 00007F921539AC00h 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1ABB second address: 6A1AFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ecx, ebx 0x0000000e push 00000000h 0x00000010 jl 00007F921527B84Eh 0x00000016 je 00007F921527B848h 0x0000001c call 00007F921527B849h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jns 00007F921527B846h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1AFE second address: 6A1B08 instructions: 0x00000000 rdtsc 0x00000002 js 00007F921539ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1B08 second address: 6A1B12 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F921527B84Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1B12 second address: 6A1B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F921539ABFBh 0x00000010 popad 0x00000011 pop esi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F921539ABFEh 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F921539AC04h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1B58 second address: 6A1B5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1B5D second address: 6A1B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1B63 second address: 6A1BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F921527B84Bh 0x00000010 pop eax 0x00000011 sub edi, 2EF37C9Fh 0x00000017 push 00000003h 0x00000019 clc 0x0000001a mov cl, 56h 0x0000001c push 00000000h 0x0000001e mov si, dx 0x00000021 push 00000003h 0x00000023 mov dword ptr [ebp+122D201Ch], ecx 0x00000029 push B9CFE632h 0x0000002e pushad 0x0000002f push edx 0x00000030 jne 00007F921527B846h 0x00000036 pop edx 0x00000037 je 00007F921527B84Ch 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6A1BA8 second address: 6A1BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 79CFE632h 0x0000000c xor dword ptr [ebp+122D2A7Ch], edx 0x00000012 lea ebx, dword ptr [ebp+1245754Ah] 0x00000018 jmp 00007F921539AC09h 0x0000001d xchg eax, ebx 0x0000001e push esi 0x0000001f pushad 0x00000020 jmp 00007F921539AC01h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 pop esi 0x00000029 push eax 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d push edx 0x0000002e pop edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B300F second address: 6B3013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B3013 second address: 6B3019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1079 second address: 6C10AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F921527B857h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F921527B852h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C14EA second address: 6C1506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921539AC07h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1506 second address: 6C1529 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F921527B84Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C168E second address: 6C16A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539AC01h 0x00000007 jo 00007F921539ABF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C16A9 second address: 6C16AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C17E2 second address: 6C17E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C17E8 second address: 6C17ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1EB5 second address: 6C1EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C21C6 second address: 6C21E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B855h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C21E5 second address: 6C21EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C21EE second address: 6C21F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9052 second address: 6B9093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539ABFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007F921539ABF6h 0x00000010 jnc 00007F921539ABF6h 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 pushad 0x0000001a jnl 00007F921539ABF6h 0x00000020 jmp 00007F921539AC08h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9093 second address: 6B90A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F921527B846h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B90A1 second address: 6B90A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B90A7 second address: 6B90B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B90B2 second address: 6B90BC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F921539ABF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68A2E9 second address: 68A2EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68A2EF second address: 68A2FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F921539ABF6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68A2FC second address: 68A31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jbe 00007F921527B846h 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F921527B846h 0x00000018 jne 00007F921527B846h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C237A second address: 6C237E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C237E second address: 6C2384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C2384 second address: 6C238D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C2957 second address: 6C295D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C295D second address: 6C2962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C2C40 second address: 6C2C59 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F921527B846h 0x00000008 jmp 00007F921527B84Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C60B3 second address: 6C60D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539ABFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop esi 0x0000000f jnl 00007F921539ABFEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C60D1 second address: 6C60F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 jbe 00007F921527B846h 0x0000000d pop edx 0x0000000e popad 0x0000000f push edi 0x00000010 jng 00007F921527B84Eh 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CE9E3 second address: 6CE9F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539ABFFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CF235 second address: 6CF23A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CF23A second address: 6CF240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CF3E7 second address: 6CF401 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B84Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F921527B84Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D211C second address: 6D217C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F921539ABF6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jno 00007F921539AC0Ch 0x00000018 pop eax 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F921539ABF8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D2609h], esi 0x00000039 push 77B211E6h 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D217C second address: 6D2180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D2180 second address: 6D2189 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D281A second address: 6D281F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D2C2D second address: 6D2C37 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F921539ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D2C37 second address: 6D2C41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F921527B846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D2D39 second address: 6D2D43 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F921539ABFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D2DA2 second address: 6D2DA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D3155 second address: 6D315A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D328E second address: 6D3293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D52B2 second address: 6D52CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921539AC08h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D52CF second address: 6D5347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, ecx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F921527B848h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b jmp 00007F921527B851h 0x00000030 jng 00007F921527B851h 0x00000036 jg 00007F921527B84Bh 0x0000003c pushad 0x0000003d mov esi, dword ptr [ebp+122D2B70h] 0x00000043 movsx edx, dx 0x00000046 popad 0x00000047 push 00000000h 0x00000049 jc 00007F921527B84Eh 0x0000004f push ebx 0x00000050 sub dword ptr [ebp+122D1FFCh], eax 0x00000056 pop edi 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D5347 second address: 6D534B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D5DAB second address: 6D5DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D660F second address: 6D6613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D6613 second address: 6D6619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D743B second address: 6D7458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F921539AC09h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D7C3E second address: 6D7C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D8AB1 second address: 6D8AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D8AB5 second address: 6D8ACF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B84Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D8ACF second address: 6D8B68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539ABFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F921539AC01h 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F921539ABF8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c jmp 00007F921539ABFAh 0x00000031 mov dword ptr [ebp+1245B4DEh], edx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007F921539ABF8h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov esi, 57FA51ABh 0x00000058 mov edi, dword ptr [ebp+122D2059h] 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F921539AC05h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DBAAF second address: 6DBB52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 popad 0x00000009 nop 0x0000000a jmp 00007F921527B84Fh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F921527B848h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b jmp 00007F921527B853h 0x00000030 sub ebx, 4AE421DCh 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F921527B848h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 jmp 00007F921527B856h 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F921527B851h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DAD18 second address: 6DAD1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DBB52 second address: 6DBB6F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F921527B851h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DCC3E second address: 6DCC42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DCC42 second address: 6DCC48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DCC48 second address: 6DCC4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DCC4E second address: 6DCC52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DDB8F second address: 6DDB95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DDB95 second address: 6DDB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DDB99 second address: 6DDBAB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F921539ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DDBAB second address: 6DDBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DCD64 second address: 6DCE11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F921539ABF6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 sub dword ptr [ebp+122D3878h], ecx 0x00000017 push dword ptr fs:[00000000h] 0x0000001e add dword ptr [ebp+122D2174h], eax 0x00000024 mov dword ptr [ebp+122D256Dh], eax 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 jmp 00007F921539AC05h 0x00000036 mov eax, dword ptr [ebp+122D0FE9h] 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007F921539ABF8h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 mov ebx, dword ptr [ebp+122D2169h] 0x0000005c push FFFFFFFFh 0x0000005e push 00000000h 0x00000060 push ebx 0x00000061 call 00007F921539ABF8h 0x00000066 pop ebx 0x00000067 mov dword ptr [esp+04h], ebx 0x0000006b add dword ptr [esp+04h], 00000015h 0x00000073 inc ebx 0x00000074 push ebx 0x00000075 ret 0x00000076 pop ebx 0x00000077 ret 0x00000078 jmp 00007F921539AC07h 0x0000007d nop 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DCE11 second address: 6DCE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68BD77 second address: 68BD7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6DDE9E second address: 6DDEAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F921527B846h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68BD7F second address: 68BD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68BD85 second address: 68BD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68BD8A second address: 68BDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F921539AC03h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68BDA3 second address: 68BDA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E21E1 second address: 6E21E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E21E5 second address: 6E222E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F921527B855h 0x0000000f push 00000000h 0x00000011 sbb di, 1021h 0x00000016 push 00000000h 0x00000018 jmp 00007F921527B856h 0x0000001d xchg eax, esi 0x0000001e push ecx 0x0000001f pushad 0x00000020 je 00007F921527B846h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E222E second address: 6E2245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F921539ABFEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E034D second address: 6E0351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E1394 second address: 6E13A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539ABFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E3368 second address: 6E3372 instructions: 0x00000000 rdtsc 0x00000002 js 00007F921527B84Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E13A5 second address: 6E13CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jng 00007F921539ABF6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F921539AC04h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E13CA second address: 6E1472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B852h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bx, 6A12h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov edi, dword ptr [ebp+122D24DFh] 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F921527B848h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Ah 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c mov ebx, edx 0x0000003e mov eax, dword ptr [ebp+122D0021h] 0x00000044 push 00000000h 0x00000046 push ebp 0x00000047 call 00007F921527B848h 0x0000004c pop ebp 0x0000004d mov dword ptr [esp+04h], ebp 0x00000051 add dword ptr [esp+04h], 00000017h 0x00000059 inc ebp 0x0000005a push ebp 0x0000005b ret 0x0000005c pop ebp 0x0000005d ret 0x0000005e mov edi, dword ptr [ebp+122D2778h] 0x00000064 push FFFFFFFFh 0x00000066 push ecx 0x00000067 pop ebx 0x00000068 nop 0x00000069 pushad 0x0000006a js 00007F921527B85Ch 0x00000070 jmp 00007F921527B856h 0x00000075 jl 00007F921527B84Ch 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E23A5 second address: 6E23AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E8416 second address: 6E8420 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E75D3 second address: 6E75E1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E75E1 second address: 6E766A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F921527B84Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+1247EDBBh], ebx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 ja 00007F921527B84Ch 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov ebx, dword ptr [ebp+12467683h] 0x0000002b mov eax, dword ptr [ebp+122D15B9h] 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F921527B848h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b sub dword ptr [ebp+1247B16Eh], esi 0x00000051 push FFFFFFFFh 0x00000053 mov edi, 0798E0F7h 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F921527B857h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E54C8 second address: 6E54CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E8727 second address: 6E872D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E872D second address: 6E8731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E8731 second address: 6E8735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4403 second address: 6E4407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E4407 second address: 6E4411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F921527B846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA5F9 second address: 6EA5FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA5FD second address: 6EA60A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA60A second address: 6EA6A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 and bx, 6614h 0x0000000d clc 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov di, dx 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f call 00007F921539AC07h 0x00000024 mov di, si 0x00000027 pop ebx 0x00000028 mov eax, dword ptr [ebp+122D08F9h] 0x0000002e sbb ebx, 3360374Fh 0x00000034 push FFFFFFFFh 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F921539ABF8h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 add bx, ECDAh 0x00000055 pushad 0x00000056 mov dword ptr [ebp+122D29F8h], esi 0x0000005c js 00007F921539ABFCh 0x00000062 mov eax, dword ptr [ebp+122D2E58h] 0x00000068 popad 0x00000069 nop 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F921539AC04h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA6A8 second address: 6EA6C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B854h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA6C0 second address: 6EA6E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F921539AC05h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB6C1 second address: 6EB6E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B84Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F921527B852h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EEE4A second address: 6EEE54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F921539ABF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FABE7 second address: 6FABF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAD81 second address: 6FAD89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAD89 second address: 6FAD8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 703467 second address: 703471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F921539ABF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 703471 second address: 7034A8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e jmp 00007F921527B84Bh 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F921527B859h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7034A8 second address: 7034AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7034AC second address: 7034B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F921527B846h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7041BC second address: 704204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007F921539ABF6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pop eax 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F921539ABFBh 0x0000001c mov eax, dword ptr [eax] 0x0000001e jbe 00007F921539ABFAh 0x00000024 push edi 0x00000025 pushad 0x00000026 popad 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F921539AC03h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70A351 second address: 70A395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F921527B84Bh 0x0000000b popad 0x0000000c jmp 00007F921527B84Bh 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 jg 00007F921527B852h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F921527B84Eh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 697996 second address: 69799C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69799C second address: 6979B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B856h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6979B6 second address: 6979BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6979BC second address: 6979DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B855h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F921527B846h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 709177 second address: 709183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F921539ABF6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 709795 second address: 7097BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B84Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F921527B857h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71356F second address: 713573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 713573 second address: 71357F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712042 second address: 71206B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539AC09h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F921539ABF6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71206B second address: 71206F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7122F0 second address: 7122F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7122F4 second address: 712322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F921527B84Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F921527B857h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712AFB second address: 712AFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712F26 second address: 712F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712F2A second address: 712F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712F33 second address: 712F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712F39 second address: 712F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712F3E second address: 712F54 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnc 00007F921527B846h 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007F921527B846h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712F54 second address: 712F58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712F58 second address: 712F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9BD5 second address: 6B9BF5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007F921539ABF6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F921539AC04h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9BF5 second address: 6B9C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F921527B84Eh 0x00000012 pushad 0x00000013 popad 0x00000014 jnl 00007F921527B846h 0x0000001a pushad 0x0000001b push edi 0x0000001c pop edi 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9C16 second address: 6B9C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9C1B second address: 6B9C2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B84Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B9C2E second address: 6B9C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 714EEE second address: 714EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C802 second address: 71C80C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F921539ABF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 68F24C second address: 68F263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a jnc 00007F921527B846h 0x00000010 pop ecx 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0B6D second address: 6D0B77 instructions: 0x00000000 rdtsc 0x00000002 js 00007F921539ABFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D0B77 second address: 6B9052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F921527B857h 0x0000000d jmp 00007F921527B856h 0x00000012 popad 0x00000013 nop 0x00000014 jp 00007F921527B856h 0x0000001a movzx edx, dx 0x0000001d call dword ptr [ebp+122D20C1h] 0x00000023 pushad 0x00000024 push ecx 0x00000025 push eax 0x00000026 pop eax 0x00000027 pop ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c ja 00007F921527B846h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1137 second address: 6D113B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D146B second address: 6D1471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1471 second address: 6D147B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F921539ABF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D147B second address: 6D148E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F921527B848h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D19D6 second address: 6D1A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push edx 0x0000000f jmp 00007F921539AC04h 0x00000014 pop edx 0x00000015 popad 0x00000016 nop 0x00000017 mov dx, si 0x0000001a push 0000001Eh 0x0000001c mov dword ptr [ebp+12476B2Eh], esi 0x00000022 mov edi, dword ptr [ebp+122D2D88h] 0x00000028 nop 0x00000029 pushad 0x0000002a pushad 0x0000002b jmp 00007F921539AC07h 0x00000030 jne 00007F921539ABF6h 0x00000036 popad 0x00000037 push ecx 0x00000038 pushad 0x00000039 popad 0x0000003a pop ecx 0x0000003b popad 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push ecx 0x00000041 pop ecx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1A39 second address: 6D1A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1A3D second address: 6D1A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1DFC second address: 6D1E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1E02 second address: 6B9BD5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F921539ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push ebx 0x0000000e or ecx, 1ADD2DA6h 0x00000014 pop edx 0x00000015 lea eax, dword ptr [ebp+124868B7h] 0x0000001b movsx ecx, dx 0x0000001e push eax 0x0000001f push eax 0x00000020 je 00007F921539ABFCh 0x00000026 jp 00007F921539ABF6h 0x0000002c pop eax 0x0000002d mov dword ptr [esp], eax 0x00000030 mov dword ptr [ebp+122D2A3Ah], ebx 0x00000036 lea eax, dword ptr [ebp+12486873h] 0x0000003c mov edx, dword ptr [ebp+122D2D20h] 0x00000042 push eax 0x00000043 push edi 0x00000044 push esi 0x00000045 pushad 0x00000046 popad 0x00000047 pop esi 0x00000048 pop edi 0x00000049 mov dword ptr [esp], eax 0x0000004c mov edx, dword ptr [ebp+122D2D9Ch] 0x00000052 call dword ptr [ebp+122D2573h] 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F921539AC03h 0x0000005f jnc 00007F921539ABFEh 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71B911 second address: 71B94B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F921527B846h 0x00000008 jmp 00007F921527B856h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007F921527B851h 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71B94B second address: 71B951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71B951 second address: 71B955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71B955 second address: 71B959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71B959 second address: 71B96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921527B850h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71B96F second address: 71B990 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F921539AC04h 0x00000008 jng 00007F921539ABF6h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71B990 second address: 71B99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F921527B846h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71BADE second address: 71BAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71BF13 second address: 71BF63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B858h 0x00000007 je 00007F921527B856h 0x0000000d jmp 00007F921527B84Ah 0x00000012 ja 00007F921527B846h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jg 00007F921527B846h 0x00000023 jmp 00007F921527B855h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71BF63 second address: 71BF6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71C0CC second address: 71C0F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F921527B846h 0x00000008 jmp 00007F921527B852h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F921527B846h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72105D second address: 721061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 721061 second address: 721065 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 721065 second address: 721079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F921539ABFCh 0x0000000e jp 00007F921539ABF6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 721379 second address: 72137D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72137D second address: 721381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7214CA second address: 7214D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 720ABD second address: 720ACD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F921539ABF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 720ACD second address: 720AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 720AD3 second address: 720AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 720AD7 second address: 720ADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7259A8 second address: 7259DB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F921539ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F921539AC15h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7259DB second address: 7259DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7259DF second address: 7259FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F921539AC05h 0x0000000b popad 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7275CC second address: 7275D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7294BF second address: 7294C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7294C3 second address: 7294FF instructions: 0x00000000 rdtsc 0x00000002 js 00007F921527B846h 0x00000008 jmp 00007F921527B858h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F921527B857h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7294FF second address: 72950B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F921539ABF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72D7CE second address: 72D816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921527B850h 0x00000009 pop edx 0x0000000a jg 00007F921527B84Eh 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F921527B84Dh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F921527B853h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72D816 second address: 72D820 instructions: 0x00000000 rdtsc 0x00000002 je 00007F921539ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72CF62 second address: 72CF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 686D01 second address: 686D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F921539AC05h 0x0000000a popad 0x0000000b push edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F921539ABF6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 686D2D second address: 686D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 686D31 second address: 686D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7317B5 second address: 7317D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pushad 0x00000007 jmp 00007F921527B856h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7317D6 second address: 7317ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921539AC03h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731959 second address: 73195D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73195D second address: 731990 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F921539ABF8h 0x00000008 jmp 00007F921539AC00h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F921539AC05h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731990 second address: 731995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731DE0 second address: 731DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921539AC00h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731DF4 second address: 731E08 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F921527B846h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731E08 second address: 731E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 731F45 second address: 731F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736C73 second address: 736C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736C78 second address: 736CA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F921527B84Fh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F921527B84Ch 0x00000019 pushad 0x0000001a popad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736CA7 second address: 736CAC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736CAC second address: 736CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F921527B846h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F921527B858h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736E4A second address: 736E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921539AC07h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736E65 second address: 736E7A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F921527B84Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736E7A second address: 736E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736E7E second address: 736E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 736FFC second address: 737018 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F921539AC03h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737018 second address: 737032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921527B855h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737032 second address: 737047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F921539AC00h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737047 second address: 73704F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D17EF second address: 6D17F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D17F3 second address: 6D1800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1800 second address: 6D1804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D1804 second address: 6D180E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737BFE second address: 737C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jo 00007F921539ABF6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737C0B second address: 737C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F921527B846h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737C1B second address: 737C32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F921539ABFDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737C32 second address: 737C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737C38 second address: 737C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 737C3C second address: 737C66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B858h 0x00000007 jl 00007F921527B846h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F921527B846h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 69948E second address: 6994B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F921539ABF6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jp 00007F921539ABF6h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F921539ABFDh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E463 second address: 73E467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73E467 second address: 73E47E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F921539ABF6h 0x00000008 jmp 00007F921539ABFDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73EAEF second address: 73EAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73EAF5 second address: 73EAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73EAF9 second address: 73EB17 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jl 00007F921527B846h 0x00000011 pop esi 0x00000012 popad 0x00000013 pushad 0x00000014 js 00007F921527B84Eh 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73EB17 second address: 73EB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F921539AC02h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F921539ABFFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73EDFB second address: 73EE1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B852h 0x00000007 jc 00007F921527B846h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73EE1B second address: 73EE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73EE21 second address: 73EE25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73EE25 second address: 73EE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F11B second address: 73F121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F121 second address: 73F142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F921539AC06h 0x0000000b push edi 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F45E second address: 73F49E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F921527B857h 0x00000008 jmp 00007F921527B851h 0x0000000d push ecx 0x0000000e jmp 00007F921527B850h 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 jnc 00007F921527B84Eh 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F49E second address: 73F4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F9F2 second address: 73F9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73F9FD second address: 73FA03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD13 second address: 73FD2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921527B84Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FD2B second address: 73FD33 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7434C5 second address: 7434CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F921527B846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7434CF second address: 7434E5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F921539ABF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007F921539ABFEh 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7434E5 second address: 743502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F921527B855h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 743502 second address: 74350B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 743AB4 second address: 743AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F921527B856h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 748A45 second address: 748A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 748A4B second address: 748A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F921527B857h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jp 00007F921527B846h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75117D second address: 75118E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F921539ABF6h 0x0000000a popad 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F46D second address: 74F477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74FAF8 second address: 74FAFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74FD70 second address: 74FD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74FD74 second address: 74FD7E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F921539ABF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7501CB second address: 750219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F921527B846h 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007F921527B854h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jp 00007F921527B84Ch 0x0000001d je 00007F921527B846h 0x00000023 push edi 0x00000024 jmp 00007F921527B858h 0x00000029 push edx 0x0000002a pop edx 0x0000002b pop edi 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750781 second address: 750785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750785 second address: 750793 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750793 second address: 750799 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750799 second address: 7507AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F921527B84Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 757A20 second address: 757A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921539AC09h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75750E second address: 75751D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 jnp 00007F921527B854h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75751D second address: 757523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75DE09 second address: 75DE14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F921527B846h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7639C4 second address: 7639D3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F921539ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7639D3 second address: 7639EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F921527B853h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766E1A second address: 766E24 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766E24 second address: 766E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C51D second address: 76C521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C521 second address: 76C530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F921527B846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C530 second address: 76C53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C53A second address: 76C540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C540 second address: 76C54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C54A second address: 76C562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jnl 00007F921527B846h 0x0000000e pop edx 0x0000000f push ecx 0x00000010 jno 00007F921527B846h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C09E second address: 76C0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C0A4 second address: 76C0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C0AA second address: 76C0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7811BC second address: 7811D1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F921527B846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnl 00007F921527B846h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6942CE second address: 6942E0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F921539ABF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F921539ABF6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786D9A second address: 786DB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B84Ch 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F921527B84Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 786DB4 second address: 786DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C4D5 second address: 78C4F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B854h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C4F2 second address: 78C500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F921539ABF6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79E7AB second address: 79E7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A44E9 second address: 7A44EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A4057 second address: 7A405C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A405C second address: 7A4062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A4062 second address: 7A4068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A4068 second address: 7A406E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A59CB second address: 7A59DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F921527B84Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A59DF second address: 7A59E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A59E8 second address: 7A59F0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC6AC second address: 7AC6B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC6B4 second address: 7AC6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC6BA second address: 7AC6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC6C3 second address: 7AC6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ABE6F second address: 7ABE87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F921539ABFCh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ABE87 second address: 7ABE8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC162 second address: 7AC17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F921539AC05h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC17B second address: 7AC17F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC17F second address: 7AC193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F921539ABFBh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC193 second address: 7AC199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC3ED second address: 7AC3F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC3F3 second address: 7AC3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC3FC second address: 7AC402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC402 second address: 7AC419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jc 00007F921527B846h 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F921527B846h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AC419 second address: 7AC429 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F921539ABF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFB6C second address: 7AFB70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFB70 second address: 7AFB76 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFB76 second address: 7AFBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F921527B857h 0x0000000e jmp 00007F921527B84Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFBA6 second address: 7AFBAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFBAB second address: 7AFBC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F921527B846h 0x00000009 jmp 00007F921527B84Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFBC5 second address: 7AFBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F921539AC03h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4C69 second address: 7B4C91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921527B855h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jg 00007F921527B846h 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4C91 second address: 7B4C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4C95 second address: 7B4CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F921527B857h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B65DC second address: 7B65F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F921539AC03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B65F3 second address: 7B6604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F921527B84Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B82D9 second address: 7B82DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B0BE1 second address: 7B0BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF909 second address: 7AF90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6D4F11 second address: 6D4F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6C6C9A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 51B2C6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6EEEA8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6D0CCC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5229CB instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4DC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A19EE rdtsc

0_2_006A19EE

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 8012

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A19EE rdtsc

0_2_006A19EE

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F50E5 GetSystemTime,GetFileTime,

0_2_006F50E5

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	261 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	45%	ReversingLabs	Win32.Infostealer.Tinba
file.exe	54%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561765
Start date and time:	2024-11-24 08:43:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.504625271893116
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'813'440 bytes
MD5:	2f405290a54895095dba7ff04d7a5953
SHA1:	e03dcaf483ba02c2145b3805d50f3c9d6fd50c7a
SHA256:	4588027f22769e9207b98bc72c37b976154f0d0b6f58e2a13991787418f1544c
SHA512:	ca454071f61304ffc7f46c976f74b5d49bed2a5e3e4384d2509adf1e5c7c1a85c9ac9579143ed56081c278fd0b8aed10f6e3e5b1c183d3f4342d55a26108ccc9
SSDEEP:	49152:uIw4p/GG0KyDhWxJY0c7NP+Wlmc4SZz7dRI8:I4QGpyDhcJYX1LP
TLSH:	B8D52AA1F40972CFD48E67789927CD47A85D83B9472408C7A86DA4BA7D73CC137B6C24
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`+.. ...`....@.. ........................+.......+...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6b6000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F92146D398Ah
bswap esp
sub al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F92146D5985h
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb al, byte ptr [00000000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	e8e1995b5ae4f7358f5e0b7e5a494ee3	False	0.9305555555555556	PGP Secret Sub-key -	7.757169738716121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pypdcipy	0xa000	0x2aa000	0x2a8e00	71728b4d5515dd23e1a198507faa7a53	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mkjngwpv	0x2b4000	0x2000	0x400	dfa6c82c5ce44ebd5e95484ab04a9df1	False	0.7666015625	data	6.027301494003604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2b6000	0x4000	0x2200	4bda437a1f1bbfcaa93bdafc9a5fadd0	False	0.051011029411764705	DOS executable (COM)	0.5026891444419739	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	02:44:25
Start date:	24/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x510000
File size:	2'813'440 bytes
MD5 hash:	2F405290A54895095DBA7FF04D7A5953
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	4.6%
Signature Coverage:	0%
Total number of Nodes:	263
Total number of Limit Nodes:	10

Executed Functions

Function 006A19EE Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 221
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1A92

Strings

C, xrefs: 006A1C83

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: 7fd63a951188b8f33bfabb70c96c867ea700198c855a3f0de7f723f5d9916259
Instruction ID: 22cb6bf0621aecf7f820aae94465557d15ac171342ccfa1ae627489977e1d4fd
Opcode Fuzzy Hash: 7fd63a951188b8f33bfabb70c96c867ea700198c855a3f0de7f723f5d9916259
Instruction Fuzzy Hash: DE51D6B72891557EE301EA596E10EFB77AEE7C3730F30842AF906DA542E2544E0A5A34

Function 006F266B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 006F277C
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 006F2790

Strings

1002, xrefs: 006F2746
.exe, xrefs: 006F26D7
.dll, xrefs: 006F26B3

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: a6de7ae05f326e52c50b3777b5d7d6921f0b14d173b055588dc321ea517d1a2c
Instruction ID: 81312e9d00b2ba37dc08e0cc8e98112f0c595e3486321d055db51012bdb40dbb
Opcode Fuzzy Hash: a6de7ae05f326e52c50b3777b5d7d6921f0b14d173b055588dc321ea517d1a2c
Instruction Fuzzy Hash: 2331693180420EEFDF25AF50D964ABE7B77FF04350F104129FA069A261CB3199A1DFA5

Function 006F2B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,006F2B03,?,00000000,00000000), ref: 006F2C2E
GetModuleHandleA.KERNEL32(00000000,?,?,?,006F2B03,?,00000000,00000000), ref: 006F2C3C

Strings

.dll, xrefs: 006F2BA4

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: eb2bff11f8c2acfb17ee9a5b1797c6d21ef661e554b04e5b9831d169cc3d131f
Instruction ID: 341d1c635122335a9413a681e0de9182059cdf00d373aa910ef93878e86e3840
Opcode Fuzzy Hash: eb2bff11f8c2acfb17ee9a5b1797c6d21ef661e554b04e5b9831d169cc3d131f
Instruction Fuzzy Hash: B2115E3010150FEEEBB59F14C819BBD3AA3BF10345F140225FB02495A1CBB59AE5CEA2

Function 006F54CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00D383AC,-11DB5FEC), ref: 006F5544
GetFileAttributesA.KERNEL32(00000000,-11DB5FEC), ref: 006F5552

Strings

@, xrefs: 006F54F7

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 4a18726d280e2c0afc3ceded0ba71851fef18f3c279e073f1c21bf89448537d3
Instruction ID: ba8992a6b966dac061d6ba9f5fde3d7a3917fdd5cd6b9535f2aef493456a7811
Opcode Fuzzy Hash: 4a18726d280e2c0afc3ceded0ba71851fef18f3c279e073f1c21bf89448537d3
Instruction Fuzzy Hash: 5F016971504A0CFAEF21AF68C9097BC7EB3BF61385F204065E70369191C7719E92EB44

Function 006A1AF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,B9CFE632,00000003,00000000,00000003,006A1AF0,00000000,?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1C16

Strings

C, xrefs: 006A1C83

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-1037565863
Opcode ID: cafeee8d4d25d6cc1e4274bfe7423846ec04fa3d81ecb0be150c0f1b16f8910a
Instruction ID: 6f76ff7e31d48d9cde9cf08607b7b93b5b0ddaa1f6570eb201c4615704f8ac09
Opcode Fuzzy Hash: cafeee8d4d25d6cc1e4274bfe7423846ec04fa3d81ecb0be150c0f1b16f8910a
Instruction Fuzzy Hash: E831EAB61882197DF715DE156E10EFF7B6ED7C3730F30842AF402DA542E2954E0A5A34

Function 006F154B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 006F15AD

Strings

\\?\, xrefs: 006F1608

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: 38806ef30d6c3af47abeb662beb84a884b2b1d167c453ac1da3d0dbbaeeb9d55
Instruction ID: 85717608807d97ed553480daae359674d29311ee2fb5e60c58a3799ebe4b72af
Opcode Fuzzy Hash: 38806ef30d6c3af47abeb662beb84a884b2b1d167c453ac1da3d0dbbaeeb9d55
Instruction Fuzzy Hash: 4031E676A0020DFEDF229F94CC09FEEB77ABF56784F040164FA01A95A0D3729A61DB54

Function 006F2C5A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F0F98: GetCurrentThreadId.KERNEL32 ref: 006F0FA7
Part of subcall function 006F0F98: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 006F0FEA

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 006F2CBE

Strings

.dll, xrefs: 006F2C7B

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentHandleModuleSleepThread
String ID: .dll
API String ID: 683542999-2738580789
Opcode ID: 8ce2e79ee89cad99099cb3bb92964f37ebc78beec9f16d91e955691ad0cf9f75
Instruction ID: d68d2f46605914c483a92c639ced59a128f8617cc576835e7c767add4c001d12
Opcode Fuzzy Hash: 8ce2e79ee89cad99099cb3bb92964f37ebc78beec9f16d91e955691ad0cf9f75
Instruction Fuzzy Hash: 0CF09A7210020EEFEF50AF54C889ABD3BA2BF18340F108015FF058A256DB31C6A1DF20

Function 006A1A22 Relevance: 3.2, APIs: 2, Instructions: 180
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1A92

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: aaa413dd6975d9b43f3756f0b0596ee81490307395a0a48933a441748a4acc0b
Instruction ID: 46620fe913d37554ce4145e8385ef8097a4b37d52e2a6a22ecfa41f5373c0619
Opcode Fuzzy Hash: aaa413dd6975d9b43f3756f0b0596ee81490307395a0a48933a441748a4acc0b
Instruction Fuzzy Hash: E341F6B728D2557EE305EA156E10EFB7BAEE7C3730F30842AF402CA542E2550E0A5A34

Function 006A1A33 Relevance: 3.2, APIs: 2, Instructions: 176
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1A92

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4914b07099de89345c2f679923e4f8d8cbb21cb4b687b62a50ebc335947ec680
Instruction ID: e200aff9c79dc7357ec1b98b6d31cb5a92aeb9e56a10c14b7ea2d90ba9657031
Opcode Fuzzy Hash: 4914b07099de89345c2f679923e4f8d8cbb21cb4b687b62a50ebc335947ec680
Instruction Fuzzy Hash: 984116B718D2557EE345EA556A50EFB7BAEE7C3730F30843EF402CA542E2510D0A9A34

Function 006F56E7 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00D383AC,?,?,-11DB5FEC,?,?,?,-11DB5FEC,?), ref: 006F5799

Part of subcall function 006F5699: IsBadWritePtr.KERNEL32(?,00000004), ref: 006F56A7

CreateFileA.KERNEL32(?,?,?,-11DB5FEC,?,?,?,-11DB5FEC,?), ref: 006F57B9

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: 9a46bb49f205cdef3333f959c9a6dcf4fa5c9293cf0e90cde1a779b577e50da7
Instruction ID: 956c349e7b9e0075246d83a888ef311fd6657b580e4eee7bcb82d1a15e94a0df
Opcode Fuzzy Hash: 9a46bb49f205cdef3333f959c9a6dcf4fa5c9293cf0e90cde1a779b577e50da7
Instruction Fuzzy Hash: 7111E77200094EFADF22AFA4DC09BED3F63BF54384F144015FB0268465D77689A2EB51

Function 006F5053 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F0F98: GetCurrentThreadId.KERNEL32 ref: 006F0FA7
Part of subcall function 006F0F98: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 006F0FEA

GetCurrentProcess.KERNEL32(-11DB5FEC), ref: 006F5060
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 006F50C6

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessSleepThread
String ID:
API String ID: 2846201637-0
Opcode ID: ec3604a3c0aa2659b5f3bf4e110af20226ace81829a9e7f731927c314b067fb8
Instruction ID: c36c90d589f9e4a13a7929d037350579514bb046512cda069f44e77c9aec0f29
Opcode Fuzzy Hash: ec3604a3c0aa2659b5f3bf4e110af20226ace81829a9e7f731927c314b067fb8
Instruction Fuzzy Hash: B601FB3210054EEB8F62AFA4DC45CFE3B27BF943507004519FB1695016DF35D962EBA1

Function 006F0F98 Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 006F0FA7
Sleep.KERNELBASE(00000005,00050000,00000000), ref: 006F0FEA

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentSleepThread
String ID:
API String ID: 1164918020-0
Opcode ID: 3fd1a514047d0576787620a5f42a71a22cb3053d4a0737c4e7bea7aeb941b791
Instruction ID: 9e5d9856fcf728625d580a084f3a94c2e392f9607a234e5bc0217a3e78255599
Opcode Fuzzy Hash: 3fd1a514047d0576787620a5f42a71a22cb3053d4a0737c4e7bea7aeb941b791
Instruction Fuzzy Hash: C1F0B43150220EEFEB328F50C9887BFB6BAFF4030AF200179D70186542D7B11C55DA81

Function 006A1AB6 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52273afa7fa332c525328dc40fdd40db4b4379234a0aa791f4dd1ae0e26d1542
Instruction ID: 2fd15c8ffb20449333afed245a0d144fa7dddc93fe29bb941f2dacf25faefd36
Opcode Fuzzy Hash: 52273afa7fa332c525328dc40fdd40db4b4379234a0aa791f4dd1ae0e26d1542
Instruction Fuzzy Hash: D831FCB61892557EE706AA145E50EFB7B6EE7C3770F30846AF402DF143E2900D0A6A30

Function 006F36D2 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 006F3787

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 393cf30e5cc95b693f6ca14a60464330842d94a3cc88295f86dfebe7cad59c2e
Instruction ID: 23649a67d29a0855e414414153aa04e7cb825028606609cdd062de8051a07c28
Opcode Fuzzy Hash: 393cf30e5cc95b693f6ca14a60464330842d94a3cc88295f86dfebe7cad59c2e
Instruction Fuzzy Hash: F431A4B1900208FEEF209F64DC45FEDBBB9FF44314F208169F615AA291C771AA41CB54

Function 0069E942 Relevance: 1.6, APIs: 1, Instructions: 95
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0069E942

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 56cebb0c674e61a5436be41d51e2c4a2d879a1c6bd16b21a9a3d778b5e3741a1
Instruction ID: e50336e3f51381f46e385a71b8cd9ec83ecdf454604c7fd920b5d440cc4f940c
Opcode Fuzzy Hash: 56cebb0c674e61a5436be41d51e2c4a2d879a1c6bd16b21a9a3d778b5e3741a1
Instruction Fuzzy Hash: 4B31E6B251C610AFE752AF18D8867BEFBE5EF58310F16082DE6C4C3650E6359490CB97

Function 006F2EEE Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 006F2F70

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 425c62193a554222f17eec1daf317e47630e2b39af30312873c5024cbbc97bbb
Instruction ID: b942b6b8b54e6baa310e61692f4e907025c1ca84eff33725d0fa9f93d8f0bb09
Opcode Fuzzy Hash: 425c62193a554222f17eec1daf317e47630e2b39af30312873c5024cbbc97bbb
Instruction Fuzzy Hash: 7A31C1B1A40209BEEB219F64DC46FE97BB9BF04724F204269F711AE2D1C7B1A641CF54

Function 006A1B22 Relevance: 1.6, APIs: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,B9CFE632,00000003,00000000,00000003,006A1AF0,00000000,?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1C16

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 64ab219c1a15012d08d1763729d154de7edb27e1c0e66e761b0c2b49805771f9
Instruction ID: f735f40ffc69178aa042e74c556e7d589d6f7a9fec0954a6a1ee7c079cc7a0da
Opcode Fuzzy Hash: 64ab219c1a15012d08d1763729d154de7edb27e1c0e66e761b0c2b49805771f9
Instruction Fuzzy Hash: C711E7B61882557EE341EA556E10EFB7B6EE7C3770F30847AF443DA542E2944D0AA930

Function 006A1B47 Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,B9CFE632,00000003,00000000,00000003,006A1AF0,00000000,?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1C16

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37039ad8bd92f1566d5a68675fccc2bf296e87d2dfe1d0efc52d0e849b271193
Instruction ID: a624fb1cfdb7f3fc1e7c26bfe852c87495423e2cf75317f0ed539b5fb1658967
Opcode Fuzzy Hash: 37039ad8bd92f1566d5a68675fccc2bf296e87d2dfe1d0efc52d0e849b271193
Instruction Fuzzy Hash: 3A11C4B65882597DF345AA256E10EFB7B6FE6C3770F30843AF403DA442E2950E0A6934

Function 006A1B34 Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,B9CFE632,00000003,00000000,00000003,006A1AF0,00000000,?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1C16

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fe27492482e25e18056656b0785f1ac19895e7f8116911f3547c11f9df77d93a
Instruction ID: db6f280c2936dc6b497ec9dd30c7576f25cc039e4bfd63f9e2bf3d0b7e9e49d4
Opcode Fuzzy Hash: fe27492482e25e18056656b0785f1ac19895e7f8116911f3547c11f9df77d93a
Instruction Fuzzy Hash: 4B11E9B65882557DE345DA216E11EFB7B6EE6C3770F30843AF403DA442E2940E0AA930

Function 006A1B4A Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,B9CFE632,00000003,00000000,00000003,006A1AF0,00000000,?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1C16

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2508489eb7496730f3568c25abd8d41df0c1c4f3ac830ae58b1c561bf8366f03
Instruction ID: fa449acc51231ef262264eb4885dcd02e0269efab13207fd572f1f157077378b
Opcode Fuzzy Hash: 2508489eb7496730f3568c25abd8d41df0c1c4f3ac830ae58b1c561bf8366f03
Instruction Fuzzy Hash: 411108B65882557DE351AA516F10EFB7B6EE7C3770F30843AF403DA543E2950D0AA934

Function 04D60D42 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04D60DCD

Memory Dump Source

Source File: 00000000.00000002.1555772935.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: bfe25cfff443df7210c227e0712abb399f8b501d458ea0b8383f08e452858901
Instruction ID: 6777b811e1cc1b6cfc7ac6cdb0677c6650de4198990e2092f5c92a4df0b24c63
Opcode Fuzzy Hash: bfe25cfff443df7210c227e0712abb399f8b501d458ea0b8383f08e452858901
Instruction Fuzzy Hash: CC2137B58012099FDB11CF99D884BDEFBF4FB88710F14821AD809AB244C774A540CFA5

Function 04D60D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04D60DCD

Memory Dump Source

Source File: 00000000.00000002.1555772935.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 3a60d7dfa5ee6fd560cec0cc99dde48bade5ae6ef9e507e27dab5ff3472ce44e
Instruction ID: eafd472e537af1374e102317fec8bfa4d97e5889ecda6164c2189ce28203e9ae
Opcode Fuzzy Hash: 3a60d7dfa5ee6fd560cec0cc99dde48bade5ae6ef9e507e27dab5ff3472ce44e
Instruction Fuzzy Hash: 072135B6C002099FCB10CF99D884BDEFBF4FB88710F14821AD809AB244C734A540CFA5

Function 04D61509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04D61580

Memory Dump Source

Source File: 00000000.00000002.1555772935.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 2559a80d461daea6b47befd481cfb9f0bd90395b9f1e74840d629972564c99b7
Instruction ID: c86b040cf195e441f40c419412b27ada98cd26000b93e68bd3e456bb6bca7e0d
Opcode Fuzzy Hash: 2559a80d461daea6b47befd481cfb9f0bd90395b9f1e74840d629972564c99b7
Instruction Fuzzy Hash: BF2103B59003499FDB10CF9AC884BDEFBF4AB48324F108429E559A7340D778A644CFA5

Function 006A1BFE Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,B9CFE632,00000003,00000000,00000003,006A1AF0,00000000,?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1C16

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c55e14ca22b7df45cc82d161e4d2e1922f385b4c376f6cfd48ff2a7890bea528
Instruction ID: e2b2eb967af4bd41306eff4027a2e90c94b64c62a8174a4a6c4dc665ad6ac1f4
Opcode Fuzzy Hash: c55e14ca22b7df45cc82d161e4d2e1922f385b4c376f6cfd48ff2a7890bea528
Instruction Fuzzy Hash: A0014C361CD3D96EE346EB215D508EA7F7AED83370B2440AAE483CA043C2484D4FDA34

Function 04D61510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04D61580

Memory Dump Source

Source File: 00000000.00000002.1555772935.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 0c78965bd36e1b6eecfcc9dc3687067873b0e7cc105c436cf5a020f15c894466
Instruction ID: d6b7987a9742014d90a28256534c2185492ce3c747a045d36409615943c3f314
Opcode Fuzzy Hash: 0c78965bd36e1b6eecfcc9dc3687067873b0e7cc105c436cf5a020f15c894466
Instruction Fuzzy Hash: F211E4B59003499FDB10CF9AC884BDEFBF4FB48320F108429E559A3250D778A645CFA5

Function 04D61301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04D61367

Memory Dump Source

Source File: 00000000.00000002.1555772935.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 52ece695fa0651551a8ae603b12925099cb234ec08263bbfbb6561cbc49cfa6b
Instruction ID: 6c45c340c12859f2551018d0fa69063c05be978729770e70b7b3fd4590e67b30
Opcode Fuzzy Hash: 52ece695fa0651551a8ae603b12925099cb234ec08263bbfbb6561cbc49cfa6b
Instruction Fuzzy Hash: B41125B1800249CFDB10CF9AD484BDEFBF4EF48724F10841AD559A3640C778A945CFA5

Function 04D61308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04D61367

Memory Dump Source

Source File: 00000000.00000002.1555772935.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d60000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 6e2fb50a489ff1b98dfecc10f74b01c3fa74410d57426e0cae032dde997dcae4
Instruction ID: acf2617c036a3b0a602d49f845d603a69b3d582bbef5ef6c7e7e053b942158f2
Opcode Fuzzy Hash: 6e2fb50a489ff1b98dfecc10f74b01c3fa74410d57426e0cae032dde997dcae4
Instruction Fuzzy Hash: 3F1133B1800349CFDB20CF9AC844BDEFBF8EB48720F20842AD559A3640C778A944CFA5

Function 006F58EB Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006F0F98: GetCurrentThreadId.KERNEL32 ref: 006F0FA7
Part of subcall function 006F0F98: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 006F0FEA

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11DB5FEC,?,?,006F361A,?,?,00000400,?,00000000,?,00000000), ref: 006F5957

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentFileReadSleepThread
String ID:
API String ID: 1253362762-0
Opcode ID: 70a1d0d89254a94c9c960d2138367390122b49b4f2fc92a0ded53fc865d36844
Instruction ID: e910eee96c15d02f78e712016d06122f7ed706fe9176ff308074df7665e9ec87
Opcode Fuzzy Hash: 70a1d0d89254a94c9c960d2138367390122b49b4f2fc92a0ded53fc865d36844
Instruction Fuzzy Hash: 87F01D3210054EEBCF165F98DC05DAE3B67BF55350F048015F71259121DB76C9A2EB61

Function 006A1BE1 Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,B9CFE632,00000003,00000000,00000003,006A1AF0,00000000,?,006A19EA,00000003,00000000,00000003,006A1922,00000000), ref: 006A1C16

Memory Dump Source

Source File: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 936ac471aedbc0f78d06cd155960f9706ede688e40b63f236b101f760fd2a2e5
Instruction ID: baafb18fae3106f8573b9709e96758afca36fb89fddd12c3ac8bba75eda8ba61
Opcode Fuzzy Hash: 936ac471aedbc0f78d06cd155960f9706ede688e40b63f236b101f760fd2a2e5
Instruction Fuzzy Hash: C4E022B958D2826FA311BA201D108BF2B1FEAC333071084A9EC03CA502CA088C079970

Function 006F28CE Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(006F2084,006F2084), ref: 006F2919

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 1df0437fa7a7db896cd60c4f551e8ba30d50861b1c5c2fcedf5494d65d0660c5
Instruction ID: d86683b1bb8b2dc98483f789b955e92dc9166ded656731ae8c38b5fa037a93d0
Opcode Fuzzy Hash: 1df0437fa7a7db896cd60c4f551e8ba30d50861b1c5c2fcedf5494d65d0660c5
Instruction Fuzzy Hash: B2E06D7210005EEA8F523FB1DC299BD3B5BAFA0380B008029BF0659061DF74C6A2EE65

Function 006F1169 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 006F11CD

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 84d795743f900aeaf867a34559dc443d97b888fce6517f6c4aa6a629c13c0381
Instruction ID: 73e2a11dbd887f2c26ce6a74b130ba1b0c1de66e6a9e1b5953060e1d67083b34
Opcode Fuzzy Hash: 84d795743f900aeaf867a34559dc443d97b888fce6517f6c4aa6a629c13c0381
Instruction Fuzzy Hash: 1801D63260010EFFCF119FA5CC04DEEBF76EF46780F004165B601A8560D7329A61DB64

Function 006F3CEC Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 006F0F98: GetCurrentThreadId.KERNEL32 ref: 006F0FA7
Part of subcall function 006F0F98: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 006F0FEA

CloseHandle.KERNELBASE(006F36AF,-11DB5FEC,?,?,006F36AF,?), ref: 006F3D2A

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseCurrentHandleSleepThread
String ID:
API String ID: 4003616898-0
Opcode ID: 54755fd43e176f1f8954b70050c7daf095b3070359b098b37f2a7edcb3b81294
Instruction ID: d10ef816316c7edb6434a04d72cb240168b4b2091709372fe79787bacd7dfb0d
Opcode Fuzzy Hash: 54755fd43e176f1f8954b70050c7daf095b3070359b098b37f2a7edcb3b81294
Instruction Fuzzy Hash: E0E0D8B210045DA5DD613AB8C849C7D1A1BAFD13407004126B7019D142DE24C682C664

Function 0051EFDB Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0051EFF4

Memory Dump Source

Source File: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c92a3d33004f0fc4ce0107631af0515dacb781c163b20012e30497f6088cbc6
Instruction ID: e91470a386515c85c232dcb1dcfb6c113e60c607cd763b18bcfae0c38af485c3
Opcode Fuzzy Hash: 3c92a3d33004f0fc4ce0107631af0515dacb781c163b20012e30497f6088cbc6
Instruction Fuzzy Hash: B2E017B640C20ADFEB002F60D80A7EEBBA4EF15336F000B15EE61C1AC0C3358C90DA1A

Function 006F2DB1 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,006F0E37,?,?), ref: 006F2DB7

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9953091d68157ba0eb5d09794f5cf63658722ecc324f39f751f65d8fcbcb64f2
Instruction ID: 3c4b5b0f72954ad94cb87c774bccafd0da83cf97236091ba9a653bf97280e482
Opcode Fuzzy Hash: 9953091d68157ba0eb5d09794f5cf63658722ecc324f39f751f65d8fcbcb64f2
Instruction Fuzzy Hash: 74B0923200050DBBCF82BF65DC0688DBFAABF51399B108120FA16484318B76EA609B94

Non-executed Functions

Function 006F50E5 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006F0F98: GetCurrentThreadId.KERNEL32 ref: 006F0FA7
Part of subcall function 006F0F98: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 006F0FEA

GetSystemTime.KERNEL32(?,-11DB5FEC), ref: 006F511A
GetFileTime.KERNEL32(?,?,?,?,-11DB5FEC), ref: 006F515D

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: Time$CurrentFileSleepSystemThread
String ID:
API String ID: 3818558864-0
Opcode ID: 6999cd07b64004155c02dd668652153a4dabfab01a17ac24779d06a199c26759
Instruction ID: e6894abf999cab1141559bd49ecf348e315ee6c687bba4d089e9755711a4fa7a
Opcode Fuzzy Hash: 6999cd07b64004155c02dd668652153a4dabfab01a17ac24779d06a199c26759
Instruction Fuzzy Hash: 9201283224054AFBDF219F99DC08EAF7F36FF92301B004526F612490A1CB7299A2DA60

Function 006F5FA3 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 006F5FEA

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: cc50e32f678a6a55766c679baf347ef202e2d43db5f3576f2b2e584281770806
Instruction ID: b1e9056d2c1bd5a15aa8fcb1a2714283e0306cdb651d72f59b8cb0a5cd0d6d41
Opcode Fuzzy Hash: cc50e32f678a6a55766c679baf347ef202e2d43db5f3576f2b2e584281770806
Instruction Fuzzy Hash: 7DF01C3260560EFFCF01DF94C90499D7BB2FF15315B108265FA0696251D376DA61EF40

Function 006F461B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 006F0F98: GetCurrentThreadId.KERNEL32 ref: 006F0FA7
Part of subcall function 006F0F98: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 006F0FEA

Part of subcall function 006F5699: IsBadWritePtr.KERNEL32(?,00000004), ref: 006F56A7

wsprintfA.USER32 ref: 006F4661
LoadImageA.USER32(?,?,?,?,?,?), ref: 006F4725

Strings

%8x, xrefs: 006F465C, 006F465F
%8x, xrefs: 006F46EF, 006F4722

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: CurrentImageLoadSleepThreadWritewsprintf
String ID: %8x$%8x
API String ID: 2375920415-2046107164
Opcode ID: c02fb9663ece163ffcff71e3d091241be82f84e30c30f7286e07a3a52c8a8afc
Instruction ID: d3f521cedf9ea15aeeec49c8d400ea1e2eb3f377c9e071f3a47a45354fc48cd2
Opcode Fuzzy Hash: c02fb9663ece163ffcff71e3d091241be82f84e30c30f7286e07a3a52c8a8afc
Instruction Fuzzy Hash: B231F57290010AEFDF119F94DC49EEEBB76FF89700F108125F611A61A1CB719A62DB50

Function 006F51EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00D383AC,00004020,00000000,-11DB5FEC), ref: 006F52D9

Strings

@, xrefs: 006F5218

Memory Dump Source

Source File: 00000000.00000002.1553846158.00000000006EC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true

Associated: 00000000.00000002.1553391778.0000000000510000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553409181.0000000000512000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553430851.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553449487.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553471862.0000000000526000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553616192.0000000000683000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553633167.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.000000000069B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553654204.00000000006A9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553690985.00000000006AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553718284.00000000006B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553743798.00000000006C3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553761222.00000000006C5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553791287.00000000006C7000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553806755.00000000006C8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553827193.00000000006DA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553860426.00000000006F6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553873628.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553889435.00000000006F9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553905018.00000000006FB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553926126.0000000000713000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553938620.0000000000714000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553952327.0000000000715000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553966972.0000000000718000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1553982437.0000000000719000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554000101.000000000071D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554015455.000000000071E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554031797.0000000000723000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554049262.0000000000735000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554065413.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554080809.0000000000741000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554097088.0000000000748000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554116777.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554135067.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554176666.00000000007A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554189709.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554204489.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554234306.00000000007C4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1554246554.00000000007C6000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_510000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 53fe506a82865f30c33272c3fc294346e725361bc741ce903597128e46a5936a
Instruction ID: 32fbb93c1d5a6b2ae12dcc2de3814fff2ae302bcb6b2ee2f9b4161480dbc4484
Opcode Fuzzy Hash: 53fe506a82865f30c33272c3fc294346e725361bc741ce903597128e46a5936a
Instruction Fuzzy Hash: 97319EB5504B09EFDF258F54D8447AEBBB1FF08340F008619EA566B650C371AAA1CF80

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7844, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7844, Parent PID: 4084COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 006A19EE Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 221
fileCOMMON

Function 006F266B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 006F2B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 006F54CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 006A1AF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128
fileCOMMON

Function 006F154B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 006F2C5A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 006A1A22 Relevance: 3.2, APIs: 2, Instructions: 180
fileCOMMON

Function 006A1A33 Relevance: 3.2, APIs: 2, Instructions: 176
fileCOMMON

Function 006F56E7 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 006F5053 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 006F0F98 Relevance: 3.0, APIs: 2, Instructions: 33
sleepthreadCOMMON

Function 006A1AB6 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Function 006F36D2 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 0069E942 Relevance: 1.6, APIs: 1, Instructions: 95
libraryCOMMON