Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562043
MD5:	608d3da8209e0d1c47b711e477034bc8
SHA1:	82b9937f2c50dc5088c53e10639a440640492797
SHA256:	27325de4206e0dc0953ad9256e77e3a16a1575a6fc71435c2c389e9fdf6f29b5
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5028 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 608D3DA8209E0D1C47B711E477034BC8)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 53%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097BD6C CryptVerifySignatureA,

0_2_0097BD6C

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2124413957.0000000004B00000.00000004.00001000.00020000.00000000.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009214B3	0_2_009214B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924C01	0_2_00924C01
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00924C08	0_2_00924C08

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00976D61 appears 33 times

Source: file.exe, 00000000.00000000.2114394710.00000000007A6000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 53%

Source: file.exe

String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2781696 > 1048576

Source: file.exe

Static PE information: Raw size of kxoxrxce is bigger than: 0x100000 < 0x2a1200

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.7a0000.0.unpack :EW;.rsrc:W;.idata :W;kxoxrxce:EW;lfwoxnnu:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2b3100 should be: 0x2ab234

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: kxoxrxce
Source: file.exe	Static PE information: section name: lfwoxnnu
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AE3DA push ecx; mov dword ptr [esp], edx	0_2_007AE47C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B05AB push 74B83601h; mov dword ptr [esp], ecx	0_2_007B3BB7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009246DE push eax; mov dword ptr [esp], 083AAB96h	0_2_00924722
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009246DE push 77EC51FFh; mov dword ptr [esp], esi	0_2_00924768
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B106D push 75BCF0E6h; mov dword ptr [esp], esp	0_2_007B38F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092508E push edi; mov dword ptr [esp], 2732BF00h	0_2_00925107
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009480A7 push edx; mov dword ptr [esp], esi	0_2_009480FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009480A7 push eax; mov dword ptr [esp], esp	0_2_0094812F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B202F push ecx; mov dword ptr [esp], eax	0_2_007B2047
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AF004 push 0A1EE4F5h; mov dword ptr [esp], ebx	0_2_007B16C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AF004 push ecx; mov dword ptr [esp], ebx	0_2_007B2079
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00932017 push ecx; mov dword ptr [esp], ebx	0_2_00932035
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00931014 push edx; mov dword ptr [esp], 79199D18h	0_2_00931036
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099F021 push edx; mov dword ptr [esp], ebx	0_2_0099F05E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099F021 push edi; mov dword ptr [esp], 53FFD651h	0_2_0099F07D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1606C push 7B115064h; mov dword ptr [esp], edi	0_2_00A16119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AF0A0 push 68AD33B1h; mov dword ptr [esp], esi	0_2_007AF0BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00925072 push edi; mov dword ptr [esp], 2732BF00h	0_2_00925107
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093107A push 7F8A4DB2h; mov dword ptr [esp], ebp	0_2_00931912
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00926065 push ebx; mov dword ptr [esp], edx	0_2_00926066
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00922194 push esi; mov dword ptr [esp], ebx	0_2_00922287
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B117D push edx; mov dword ptr [esp], edi	0_2_007B3251
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B117D push ebp; mov dword ptr [esp], edx	0_2_007B326B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AE16A push ebx; mov dword ptr [esp], ecx	0_2_007AEA23
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007B1168 push 68525F62h; mov dword ptr [esp], eax	0_2_007B1170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AE14D push ebx; mov dword ptr [esp], ecx	0_2_007AEA23
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AD147 push ebp; mov dword ptr [esp], edx	0_2_007AD16F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AD147 push 77A9E19Ah; mov dword ptr [esp], esp	0_2_007AD18E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009221F2 push ecx; mov dword ptr [esp], edx	0_2_00922223
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007AE112 push ebx; mov dword ptr [esp], ecx	0_2_007AEA23
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0099F1F3 push ebx; mov dword ptr [esp], 62AA741Eh	0_2_0099F251

Source: file.exe

Static PE information: section name: entropy: 7.805428397058871

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ADAA7 second address: 7ADAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ADAAC second address: 7ADAB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92535F second address: 925369 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8B9D37AC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 925369 second address: 92539C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8B9CDB99DAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007F8B9CDB99D2h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8B9CDB99D5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92539C second address: 9253A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9253A0 second address: 9253C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8B9CDB99D7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92497A second address: 924990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jnp 00007F8B9D37AC7Ah 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 924990 second address: 9249A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8B9CDB99CFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927B85 second address: 927B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9D37AC83h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927C6A second address: 927CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop ebx 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d mov ecx, dword ptr [ebp+122D36C4h] 0x00000013 call 00007F8B9CDB99C9h 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007F8B9CDB99CDh 0x0000001f jc 00007F8B9CDB99C6h 0x00000025 popad 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927CA1 second address: 927CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927CAD second address: 927CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927CB2 second address: 927D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jng 00007F8B9D37AC8Bh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push edx 0x00000016 jmp 00007F8B9D37AC89h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jmp 00007F8B9D37AC7Eh 0x00000025 pop eax 0x00000026 xor cl, FFFFFFA8h 0x00000029 push 00000003h 0x0000002b ja 00007F8B9D37AC7Ch 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F8B9D37AC78h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d mov edx, esi 0x0000004f sub edi, dword ptr [ebp+122D397Ch] 0x00000055 push 00000003h 0x00000057 mov cl, BAh 0x00000059 call 00007F8B9D37AC79h 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927D6B second address: 927D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927D6F second address: 927D73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927D73 second address: 927D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927D79 second address: 927D7E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927D7E second address: 927DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F8B9CDB99D0h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push edx 0x00000012 jnc 00007F8B9CDB99CCh 0x00000018 pop edx 0x00000019 mov eax, dword ptr [eax] 0x0000001b jmp 00007F8B9CDB99D3h 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 jp 00007F8B9CDB99C6h 0x0000002d pop ecx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927DCB second address: 927DD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927F80 second address: 927F86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 927F86 second address: 927F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91AF0E second address: 91AF14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91AF14 second address: 91AF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9D37AC84h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94702C second address: 947046 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8B9CDB99D0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947046 second address: 94704A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94704A second address: 94705E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9CDB99D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94783E second address: 947880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F8B9D37AC88h 0x0000000b popad 0x0000000c jo 00007F8B9D37AC7Ch 0x00000012 jnl 00007F8B9D37AC76h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 push esi 0x00000023 pop esi 0x00000024 pushad 0x00000025 popad 0x00000026 pop edi 0x00000027 jl 00007F8B9D37AC78h 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947880 second address: 947886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947886 second address: 94788C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94788C second address: 947892 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9479F8 second address: 947A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8B9D37AC76h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947A06 second address: 947A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947A0C second address: 947A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947E1B second address: 947E25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 915E6A second address: 915E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9487FA second address: 948808 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 948AEC second address: 948AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 948AF2 second address: 948AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94DEE8 second address: 94DEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94DEED second address: 94DEF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8B9CDB99C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94CC5C second address: 94CC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9D37AC89h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9178B7 second address: 9178BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9178BB second address: 9178D6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8B9D37AC76h 0x00000008 jmp 00007F8B9D37AC7Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953EED second address: 953EF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953EF1 second address: 953EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953EF7 second address: 953EFC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954069 second address: 954083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F8B9D37AC78h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e jl 00007F8B9D37AC76h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9541DF second address: 9541F4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8B9CDB99C6h 0x00000008 jmp 00007F8B9CDB99CBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9541F4 second address: 954204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8B9D37AC76h 0x0000000a jng 00007F8B9D37AC76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954204 second address: 954208 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954208 second address: 95420E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95420E second address: 954217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954387 second address: 95438B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95438B second address: 954390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955015 second address: 95501A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95501A second address: 955035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F8B9CDB99D1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955035 second address: 95503F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8B9D37AC7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9550EE second address: 955115 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8B9CDB99CBh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jnc 00007F8B9CDB99C8h 0x00000016 pushad 0x00000017 jp 00007F8B9CDB99C6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955283 second address: 955297 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B9D37AC7Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955581 second address: 955585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955585 second address: 95558B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95558B second address: 95558F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9558D1 second address: 9558D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9558D7 second address: 9558DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955D16 second address: 955D45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8B9D37AC7Bh 0x0000000f xchg eax, ebx 0x00000010 add edi, dword ptr [ebp+122D3670h] 0x00000016 nop 0x00000017 pushad 0x00000018 js 00007F8B9D37AC7Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955D45 second address: 955D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8B9CDB99CCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955D51 second address: 955D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8B9D37AC89h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955E5E second address: 955E6E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8B9CDB99C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955EFE second address: 955F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9560F2 second address: 9560F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9562A7 second address: 9562CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b jmp 00007F8B9D37AC7Eh 0x00000010 pop eax 0x00000011 push eax 0x00000012 js 00007F8B9D37AC8Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95704B second address: 95705E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8B9CDB99CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95705E second address: 957062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9581F5 second address: 95820C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jmp 00007F8B9CDB99CDh 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 957996 second address: 9579CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B9D37AC7Bh 0x00000008 jns 00007F8B9D37AC76h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F8B9D37AC89h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 957062 second address: 957074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007F8B9CDB99D4h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958C13 second address: 958C91 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8B9D37AC7Ch 0x00000008 jl 00007F8B9D37AC76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F8B9D37AC78h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1ED2h], esi 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D1CA2h], edx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F8B9D37AC78h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 00000018h 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 xchg eax, ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F8B9D37AC88h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958963 second address: 958967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958C91 second address: 958CC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8B9D37AC86h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958CC4 second address: 958CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9597D2 second address: 9597D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9597D6 second address: 95984D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F8B9CDB99C8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov si, F884h 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D35D3h], ecx 0x00000030 mov si, 7F20h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007F8B9CDB99C8h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000014h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 pushad 0x00000051 mov ebx, 75245DE7h 0x00000056 movsx edx, di 0x00000059 popad 0x0000005a xchg eax, ebx 0x0000005b jmp 00007F8B9CDB99CAh 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 je 00007F8B9CDB99C6h 0x0000006a pushad 0x0000006b popad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95CDAE second address: 95CE24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F8B9D37AC78h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 xor dword ptr [ebp+122D1DA8h], esi 0x00000028 mov esi, dword ptr [ebp+122D37B0h] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F8B9D37AC78h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a adc esi, 1D6A9299h 0x00000050 push 00000000h 0x00000052 xchg eax, ebx 0x00000053 push ebx 0x00000054 push esi 0x00000055 push edx 0x00000056 pop edx 0x00000057 pop esi 0x00000058 pop ebx 0x00000059 push eax 0x0000005a pushad 0x0000005b jnp 00007F8B9D37AC7Ch 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95AB1D second address: 95AB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96142D second address: 961487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 mov ebx, 521E08EDh 0x0000000d or edi, 17F4CD00h 0x00000013 push 00000000h 0x00000015 call 00007F8B9D37AC7Eh 0x0000001a mov edi, ecx 0x0000001c pop ebx 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007F8B9D37AC78h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 00000017h 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 pushad 0x0000003a movzx edi, cx 0x0000003d sub dword ptr [ebp+122D2A50h], ebx 0x00000043 popad 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 pushad 0x00000049 popad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 961487 second address: 96148C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96148C second address: 961491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92012F second address: 92013E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F8B9CDB99CAh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9616AB second address: 9616B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 963B3C second address: 963B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8B9CDB99D7h 0x00000011 pop edx 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F8B9CDB99C8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d xor dword ptr [ebp+122D2335h], ecx 0x00000033 push 00000000h 0x00000035 sub dword ptr [ebp+1244B27Ah], edx 0x0000003b push 00000000h 0x0000003d mov ebx, edx 0x0000003f js 00007F8B9CDB99CAh 0x00000045 mov di, 16BDh 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 963B9F second address: 963BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 964B65 second address: 964B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9CDB99D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F8B9CDB99D0h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 965B89 second address: 965B8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 965B8D second address: 965B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 965B93 second address: 965BD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D2322h], edx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+122D1EC0h], ebx 0x0000001c cmc 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push edi 0x00000022 pop edi 0x00000023 jmp 00007F8B9D37AC80h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 965D0A second address: 965D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 967D64 second address: 967D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 967D80 second address: 967D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969C00 second address: 969C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 967D86 second address: 967D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969C04 second address: 969C20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8B9D37AC84h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 968E60 second address: 968E7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B9CDB99D7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96AB81 second address: 96AB87 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96AB87 second address: 96AB8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96AB8D second address: 96AB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96AB91 second address: 96AC06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F8B9CDB99CAh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F8B9CDB99C8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D3908h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F8B9CDB99C8h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov ebx, 238CD732h 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jne 00007F8B9CDB99CCh 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96BC1A second address: 96BC24 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8B9D37AC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96CC37 second address: 96CC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96CC3D second address: 96CCB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8B9D37AC87h 0x0000000a popad 0x0000000b push eax 0x0000000c jnc 00007F8B9D37AC8Fh 0x00000012 nop 0x00000013 adc bl, FFFFFF82h 0x00000016 call 00007F8B9D37AC83h 0x0000001b mov dword ptr [ebp+122D2340h], esi 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 mov bl, E7h 0x00000026 push 00000000h 0x00000028 xor dword ptr [ebp+12481C17h], edx 0x0000002e push eax 0x0000002f pushad 0x00000030 jl 00007F8B9D37AC78h 0x00000036 push edi 0x00000037 pop edi 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EC2C second address: 96EC32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96CE2D second address: 96CE3B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8B9D37AC76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96DFB3 second address: 96DFB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 971D97 second address: 971DC3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F8B9D37AC82h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F8B9D37AC7Fh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EEC5 second address: 97EEC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EEC9 second address: 97EECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EECD second address: 97EEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F8B9CDB99C6h 0x0000000e jmp 00007F8B9CDB99CCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EEE7 second address: 97EF1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8B9D37AC82h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8B9D37AC88h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EF1E second address: 97EF4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8B9CDB99D8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007F8B9CDB99C6h 0x00000012 jns 00007F8B9CDB99C6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EF4A second address: 97EF58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8B9D37AC7Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EF58 second address: 97EF7E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8B9CDB99C6h 0x00000008 jl 00007F8B9CDB99C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F8B9CDB99D2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97EF7E second address: 97EF82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 982086 second address: 98208A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98208A second address: 9820A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9D37AC83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 982216 second address: 98221C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98221C second address: 982239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8B9D37AC85h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 982239 second address: 982260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9CDB99CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8B9CDB99D3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 982539 second address: 98253D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98253D second address: 982553 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8B9CDB99C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007F8B9CDB99C6h 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95CBAA second address: 95CBAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98A3BD second address: 98A3D1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8B9CDB99C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98A3D1 second address: 98A3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8B9D37AC76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98A4B3 second address: 98A4B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99057C second address: 9905A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8B9D37AC89h 0x0000000b popad 0x0000000c je 00007F8B9D37AC82h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9905A4 second address: 9905AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98F2EB second address: 98F2EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FBFF second address: 98FC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FE77 second address: 98FE7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FE7B second address: 98FE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FE81 second address: 98FEA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F8B9D37AC76h 0x00000009 jmp 00007F8B9D37AC89h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FEA5 second address: 98FEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FEAB second address: 98FEB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FFDC second address: 98FFE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FFE2 second address: 98FFE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FFE6 second address: 98FFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99029B second address: 99029F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99029F second address: 9902A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9903FD second address: 99040F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F8B9D37AC76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99040F second address: 990434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9CDB99D7h 0x00000007 js 00007F8B9CDB99C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 990434 second address: 990446 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 js 00007F8B9D37AC76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 990446 second address: 99045F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9CDB99D5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994BE6 second address: 994BF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8B9D37AC7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994BF5 second address: 994BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994D30 second address: 994D36 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994D36 second address: 994D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F8B9CDB99C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994E7D second address: 994E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994E83 second address: 994E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8B9CDB99D0h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99500C second address: 995022 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC80h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 995022 second address: 99505F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B9CDB99D9h 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F8B9CDB99C6h 0x00000010 jne 00007F8B9CDB99C6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b ja 00007F8B9CDB99D2h 0x00000021 js 00007F8B9CDB99C6h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99505F second address: 99506D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8B9D37AC7Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99506D second address: 995089 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8B9CDB99D5h 0x00000008 jmp 00007F8B9CDB99CFh 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9951B3 second address: 9951D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F8B9D37AC76h 0x0000000b pop edi 0x0000000c jmp 00007F8B9D37AC7Eh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jg 00007F8B9D37AC82h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9951D8 second address: 9951E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8B9CDB99C6h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9951E5 second address: 9951EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910E58 second address: 910E5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9944F2 second address: 9944F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9944F6 second address: 994503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99E078 second address: 99E07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99E07E second address: 99E09D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8B9CDB99CCh 0x00000008 pushad 0x00000009 jmp 00007F8B9CDB99CEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99E34C second address: 99E35F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99E35F second address: 99E365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99E365 second address: 99E36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99E74F second address: 99E778 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8B9CDB99D0h 0x00000008 jmp 00007F8B9CDB99CAh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8B9CDB99D3h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99E778 second address: 99E77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99E77C second address: 99E780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99DD66 second address: 99DD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jns 00007F8B9D37AC76h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99EBB4 second address: 99EBE6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8B9CDB99C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d jp 00007F8B9CDB99C6h 0x00000013 jmp 00007F8B9CDB99D9h 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99EBE6 second address: 99EBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jne 00007F8B9D37AC76h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99EBF9 second address: 99EBFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99EBFF second address: 99EC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95E9D5 second address: 95E9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95EEAD second address: 95EEC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8B9D37AC83h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95F2B3 second address: 95F318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B9CDB99D3h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F8B9CDB99C8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 lea eax, dword ptr [ebp+12483CB5h] 0x0000002e jnp 00007F8B9CDB99CCh 0x00000034 mov ecx, dword ptr [ebp+122D26FAh] 0x0000003a or dword ptr [ebp+122D2DEDh], esi 0x00000040 nop 0x00000041 push edi 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F8B9CDB99CBh 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95F318 second address: 95F392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jnl 00007F8B9D37AC8Eh 0x0000000e jmp 00007F8B9D37AC88h 0x00000013 nop 0x00000014 jmp 00007F8B9D37AC82h 0x00000019 lea eax, dword ptr [ebp+12483C71h] 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F8B9D37AC78h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Ch 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 jo 00007F8B9D37AC82h 0x0000003f jng 00007F8B9D37AC7Ch 0x00000045 mov dword ptr [ebp+122D1F46h], edx 0x0000004b nop 0x0000004c push esi 0x0000004d push esi 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95F392 second address: 95F39D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95F39D second address: 94006F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jng 00007F8B9D37AC88h 0x0000000d jmp 00007F8B9D37AC82h 0x00000012 popad 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F8B9D37AC78h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e ja 00007F8B9D37AC7Ch 0x00000034 call dword ptr [ebp+122D228Ah] 0x0000003a push esi 0x0000003b jnl 00007F8B9D37AC82h 0x00000041 push eax 0x00000042 push edx 0x00000043 ja 00007F8B9D37AC76h 0x00000049 push edx 0x0000004a pop edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A27E5 second address: 9A27E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A27E9 second address: 9A283C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push edx 0x0000000e jns 00007F8B9D37AC76h 0x00000014 jmp 00007F8B9D37AC81h 0x00000019 pop edx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8B9D37AC84h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A283C second address: 9A2846 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8B9CDB99C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A2846 second address: 9A284C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A29A7 second address: 9A29AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A3121 second address: 9A312D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A3293 second address: 9A32D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8B9CDB99C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e jmp 00007F8B9CDB99D1h 0x00000013 pop edx 0x00000014 jmp 00007F8B9CDB99D0h 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F8B9CDB99CBh 0x00000022 jno 00007F8B9CDB99C6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A32D8 second address: 9A32FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8B9D37AC76h 0x00000008 ja 00007F8B9D37AC76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F8B9D37AC82h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7593 second address: 9A759F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8B9CDB99C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A759F second address: 9A75A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F8B9D37AC76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A75A9 second address: 9A75B6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8B9CDB99C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A75B6 second address: 9A75EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 ja 00007F8B9D37AC76h 0x00000017 jmp 00007F8B9D37AC80h 0x0000001c popad 0x0000001d pushad 0x0000001e jo 00007F8B9D37AC76h 0x00000024 pushad 0x00000025 popad 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A75EE second address: 9A75F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8B9CDB99C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A75F8 second address: 9A75FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A75FC second address: 9A7608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7608 second address: 9A760C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91E57D second address: 91E594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8B9CDB99CFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91E594 second address: 91E5B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F8B9D37AC76h 0x00000009 jmp 00007F8B9D37AC81h 0x0000000e popad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A9DCF second address: 9A9E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9CDB99D3h 0x00000009 jmp 00007F8B9CDB99D9h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA180 second address: 9AA186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA186 second address: 9AA18A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AC5F9 second address: 9AC5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B51CB second address: 9B51F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8B9CDB99C6h 0x0000000a pushad 0x0000000b popad 0x0000000c jl 00007F8B9CDB99C6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007F8B9CDB99D5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B51F6 second address: 9B51FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B477D second address: 9B47A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9CDB99D7h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8B9CDB99CBh 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4A73 second address: 9B4A95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8B9D37AC7Fh 0x00000009 jmp 00007F8B9D37AC7Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4A95 second address: 9B4A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4D21 second address: 9B4D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4D27 second address: 9B4D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4D30 second address: 9B4D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4D34 second address: 9B4D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F8B9CDB99D5h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4D59 second address: 9B4D76 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8B9D37AC76h 0x00000008 jmp 00007F8B9D37AC7Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B4D76 second address: 9B4D7B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAC33 second address: 9BAC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B95FC second address: 9B961F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8B9CDB99D8h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B961F second address: 9B963A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8B9D37AC85h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B979F second address: 9B97A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B97A3 second address: 9B97B2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B97B2 second address: 9B97BC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8B9CDB99CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9904 second address: 9B993D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F8B9D37AC81h 0x0000000d popad 0x0000000e popad 0x0000000f push ebx 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 pushad 0x00000015 jmp 00007F8B9D37AC86h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9BEA second address: 9B9BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9BEE second address: 9B9BF4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9BF4 second address: 9B9BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9BFE second address: 9B9C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95ECC5 second address: 95ECC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95ECC9 second address: 95ED6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007F8B9D37AC83h 0x0000000f mov dword ptr [ebp+122D2869h], edx 0x00000015 pop ecx 0x00000016 mov ebx, dword ptr [ebp+12483CB0h] 0x0000001c mov edx, dword ptr [ebp+122D2154h] 0x00000022 mov edx, dword ptr [ebp+122D3778h] 0x00000028 add eax, ebx 0x0000002a mov edx, dword ptr [ebp+122D350Ch] 0x00000030 nop 0x00000031 jmp 00007F8B9D37AC87h 0x00000036 push eax 0x00000037 jmp 00007F8B9D37AC7Ch 0x0000003c nop 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F8B9D37AC78h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 push 00000004h 0x00000059 xor di, 7600h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push esi 0x00000062 jmp 00007F8B9D37AC82h 0x00000067 pop esi 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9D5F second address: 9B9D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B9D64 second address: 9B9D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA939 second address: 9BA977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jp 00007F8B9CDB99C6h 0x0000000e popad 0x0000000f jnp 00007F8B9CDB99E6h 0x00000015 jmp 00007F8B9CDB99CAh 0x0000001a jmp 00007F8B9CDB99D6h 0x0000001f push ecx 0x00000020 jo 00007F8B9CDB99C6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C1F48 second address: 9C1F4D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0223 second address: 9C0229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C04D7 second address: 9C04FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F8B9D37AC76h 0x0000000e jmp 00007F8B9D37AC85h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C04FA second address: 9C04FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0799 second address: 9C07A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0A84 second address: 9C0A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F8B9CDB99C6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0A93 second address: 9C0A99 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C0D59 second address: 9C0D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C18B9 second address: 9C18BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C18BD second address: 9C18C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C18C1 second address: 9C18D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F8B9D37AC7Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C1BF8 second address: 9C1C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CB265 second address: 9CB26B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CB26B second address: 9CB271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA513 second address: 9CA519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA519 second address: 9CA51D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA51D second address: 9CA54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9D37AC88h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jns 00007F8B9D37AC76h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 js 00007F8B9D37AC76h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA946 second address: 9CA955 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8B9CDB99C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA955 second address: 9CA979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8B9D37AC88h 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA979 second address: 9CA98C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8B9CDB99CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAB2C second address: 9CAB32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAB32 second address: 9CAB36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAE41 second address: 9CAE51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8B9D37AC76h 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CAE51 second address: 9CAE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4CFA second address: 9D4CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4CFE second address: 9D4D48 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8B9CDB99C6h 0x00000008 jmp 00007F8B9CDB99D4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8B9CDB99D2h 0x00000017 jmp 00007F8B9CDB99D7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4D48 second address: 9D4D4F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D3631 second address: 9D363D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F8B9CDB99C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D363D second address: 9D3641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D3641 second address: 9D3645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D38D6 second address: 9D38DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D3CC0 second address: 9D3CCE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F8B9CDB99DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D3CCE second address: 9D3CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9D37AC80h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8B9D37AC80h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D3CF4 second address: 9D3CFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D3CFA second address: 9D3D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F8B9D37AC84h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jbe 00007F8B9D37AC8Eh 0x00000017 jnc 00007F8B9D37AC78h 0x0000001d push eax 0x0000001e push edx 0x0000001f jno 00007F8B9D37AC76h 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DB40D second address: 9DB411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DB411 second address: 9DB415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DAE54 second address: 9DAE5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DAE5A second address: 9DAE5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E786D second address: 9E7871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7871 second address: 9E7877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7877 second address: 9E7886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E7886 second address: 9E788C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E788C second address: 9E78CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9CDB99D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F8B9CDB99D9h 0x0000000f jp 00007F8B9CDB99C6h 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007F8B9CDB99C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EA727 second address: 9EA72D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF038 second address: 9EF041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F2C1D second address: 9F2C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8B9D37AC76h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F8B9D37AC7Eh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0552E second address: A0554D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F8B9CDB99D2h 0x0000000e pop edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0554D second address: A05553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03D05 second address: A03D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9CDB99D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03D1B second address: A03D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03D1F second address: A03D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8B9CDB99C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F8B9CDB99CEh 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop edi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8B9CDB99D6h 0x0000001d jmp 00007F8B9CDB99CCh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03EDE second address: A03EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03EE2 second address: A03EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03EE6 second address: A03EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F8B9D37AC82h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A04092 second address: A040A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A04212 second address: A04218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A04218 second address: A04223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0462A second address: A04660 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8B9D37AC7Fh 0x00000008 jmp 00007F8B9D37AC82h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F8B9D37AC7Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A051DC second address: A051F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8B9CDB99D0h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A051F7 second address: A0520E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D682 second address: A0D68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8B9CDB99C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F1C5 second address: A0F1E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC7Ch 0x00000007 jmp 00007F8B9D37AC7Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F1E3 second address: A0F1EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F8B9CDB99C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A137F2 second address: A137FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A137FD second address: A13805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26B1C second address: A26B20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2991D second address: A2992E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 ja 00007F8B9CDB99C6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2992E second address: A2994D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F8B9D37AC84h 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2994D second address: A29956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29956 second address: A2995C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2995C second address: A29979 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8B9CDB99C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8B9CDB99CFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29522 second address: A29526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2FE9D second address: A2FEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F8B9CDB99D1h 0x0000000e jmp 00007F8B9CDB99CBh 0x00000013 jmp 00007F8B9CDB99CFh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2FEC5 second address: A2FECA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34232 second address: A34243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8B9CDB99CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34396 second address: A3439A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3439A second address: A3439E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A346AF second address: A346B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8B9D37AC76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A38FD6 second address: A38FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A38FDD second address: A39002 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8B9D37AC86h 0x00000008 jnp 00007F8B9D37AC76h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37C22 second address: A37C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37C28 second address: A37C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8B9D37AC76h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37C35 second address: A37C3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37C3C second address: A37C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8B9D37AC76h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8B9D37AC82h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37DC3 second address: A37DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37DC8 second address: A37DF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC89h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8B9D37AC84h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A37F73 second address: A37F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A38E5F second address: A38E81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8B9D37AC88h 0x00000007 jns 00007F8B9D37AC76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7ADAF6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7ADA59 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7B556F instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009246DE rdtsc

0_2_009246DE

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 5276

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009843B3 GetSystemInfo,VirtualAlloc,

0_2_009843B3

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009246DE rdtsc

0_2_009246DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007AB95C LdrInitializeThunk,

0_2_007AB95C

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0097AEAE GetSystemTime,GetFileTime,

0_2_0097AEAE

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	261 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	54%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562043
Start date and time:	2024-11-25 06:36:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.527783673994632
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'781'696 bytes
MD5:	608d3da8209e0d1c47b711e477034bc8
SHA1:	82b9937f2c50dc5088c53e10639a440640492797
SHA256:	27325de4206e0dc0953ad9256e77e3a16a1575a6fc71435c2c389e9fdf6f29b5
SHA512:	72055ecdc39ab301f938fa33994b26677b3162ea2eb648393b132c444b5bbc9e2a75df4d6c3b1f43c984f8274d92797491c95e05b950c987532a194f15d99af6
SSDEEP:	49152:v9FrhJxaeXQ8sqycRVqH80tZ3/VFuJ7u3AeR7q2s8IOcCGG9m9Yrg:v9F1+eX75ySVB0qKBsD1G9Rc
TLSH:	45D55BA2A60576CFD48F17788427CD829D5C43FA4B2009D7A82D74BF7D6BCC522BAD24
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ....................... +......1+...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6ae000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F8B9CB0A28Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	a886824a73bd820ef4be82e2a58dc520	False	0.9340277777777778	data	7.805428397058871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kxoxrxce	0xa000	0x2a2000	0x2a1200	bdfd36addad1751bbc809c179c51e78f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lfwoxnnu	0x2ac000	0x2000	0x400	e77db63b5bea5580037586d31f7a4fc5	False	0.681640625	data	5.584254349184757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2ae000	0x4000	0x2200	de278c93b7977374634e71b366e30c31	False	0.07456341911764706	DOS executable (COM)	0.832326532541017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	00:36:54
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7a0000
File size:	2'781'696 bytes
MD5 hash:	608D3DA8209E0D1C47B711E477034BC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	3.4%
Signature Coverage:	4.6%
Total number of Nodes:	349
Total number of Limit Nodes:	20

Executed Functions

Function 009843B3 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11B25FEC), ref: 009843BF
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00984420

Memory Dump Source

Source File: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: a8383b068b8b2f3e8bf70620d32de7acc3a124a633bf3013a124237234c8a301
Instruction ID: afe380ad9e804ec5d53556b914d5120c8580a2f79b56f7f9d61e53dbac83682a
Opcode Fuzzy Hash: a8383b068b8b2f3e8bf70620d32de7acc3a124a633bf3013a124237234c8a301
Instruction Fuzzy Hash: 2E41F0B9D40607EAE729DF608845B9AB7ECBF48740F1004A6B607DE982FA7095D4C7E4

Function 009246DE Relevance: 1.6, APIs: 1, Instructions: 109
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 009246DE

Memory Dump Source

Source File: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 01eded8ad2c105f3c7a47ea7385f2eeb9d72fa01ea0c6039f8b8c73711d47179
Instruction ID: d739eb039fbc56f7d81c296cc17399b315ce174a1f7c13ed289ca14ac1142f89
Opcode Fuzzy Hash: 01eded8ad2c105f3c7a47ea7385f2eeb9d72fa01ea0c6039f8b8c73711d47179
Instruction Fuzzy Hash: 283130B620D210AFE705AF09E941B7EFBE9EFC4761F16482DE2C482210D73548508B67

Function 007AB95C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c23c57a06ad035e2ced313cf7ee7bd568a3088d88a7fbc1394d60391861eec4
Instruction ID: dbf57bd97b9dda62584ff541b67f23776fb48382a2df6a7c5dd921ec65057b13
Opcode Fuzzy Hash: 6c23c57a06ad035e2ced313cf7ee7bd568a3088d88a7fbc1394d60391861eec4
Instruction Fuzzy Hash: 2CF05932208552CEC7028F79C4541A67761AFE3316B148261C2A48F2ABE36C6893C308

Function 00978434 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 00978545
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00978559

Strings

.exe, xrefs: 009784A0
1002, xrefs: 0097850F
.dll, xrefs: 0097847C

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: c34ba9cb0e9a5ed87fa4bdb5a6e525f23943a430466c9a5a9630671b99b91c6c
Instruction ID: 978b654c02440e68b4a4c0c785e150094f44d7ac379c96fad2a0a0947fe43912
Opcode Fuzzy Hash: c34ba9cb0e9a5ed87fa4bdb5a6e525f23943a430466c9a5a9630671b99b91c6c
Instruction Fuzzy Hash: 25319A72540106FFCF21AF60D908AAF7B7AFF48340F10C895F90A96161DB749AA0DFA1

Function 00984DDF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.exe, xrefs: 00984F0A, 00984F50, 00984F1B, 00984F2E
.exe, xrefs: 00984F45

Memory Dump Source

Source File: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID:
String ID: .exe$.exe
API String ID: 0-1392631246
Opcode ID: 2b7a1aa84a86c8ef7245d089d6207669426a7bddc35501612d5cd96614eb8682
Instruction ID: 7c8c2957d5d3a292810f38c1eaf712c822a8b6d55b5dd32963906ca8f8fc406d
Opcode Fuzzy Hash: 2b7a1aa84a86c8ef7245d089d6207669426a7bddc35501612d5cd96614eb8682
Instruction Fuzzy Hash: 8541A171904207EFDB21EF14C944BAABBB9FF44314F244499F912AB792C375ACA0CB61

Function 0097893A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,009788CC,?,00000000,00000000), ref: 009789F7
GetModuleHandleA.KERNEL32(00000000,?,?,?,009788CC,?,00000000,00000000), ref: 00978A05

Strings

.dll, xrefs: 0097896D

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: 72603f11a7ff1c71d8b2d5e290915c95c88c01583ca8d835318126b73dfbfa83
Instruction ID: a0bacefd70f71dafaa9da9a21c67d22a58d3e55bb5d08661d4ebe8e87fdfeb06
Opcode Fuzzy Hash: 72603f11a7ff1c71d8b2d5e290915c95c88c01583ca8d835318126b73dfbfa83
Instruction Fuzzy Hash: 7911CE33280606FADF358F10C80E76E7B75BF04744F20C122E60D808A0DF7699E0DA86

Function 0097B294 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00B401D4,-11B25FEC), ref: 0097B30D
GetFileAttributesA.KERNEL32(00000000,-11B25FEC), ref: 0097B31B

Strings

@, xrefs: 0097B2C0

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 95e2e36e847abdbaeb9d075786c61b94df2332925778d96686b3ff30c1ab8bad
Instruction ID: 38bc8f32484cefd2a3a09f9818381d9d7cb466238ad2efcd8f68e1483c8249c7
Opcode Fuzzy Hash: 95e2e36e847abdbaeb9d075786c61b94df2332925778d96686b3ff30c1ab8bad
Instruction Fuzzy Hash: E0016D32205505FADF219FA4C909BADBE71BF54381F60C015E51A650A1D7B49AD1DB84

Function 00931080 Relevance: 4.6, APIs: 3, Instructions: 55
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009310BD
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 009310E4
GetNativeSystemInfo.KERNELBASE(?), ref: 0093113B

Memory Dump Source

Source File: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: 3de0d47e10b47ed709c60a4ec3b8bbbcd2ebac327f4232837b5200f686ea9400
Instruction ID: e2238e8dbe6a4dd709442c683555f0c8b395efa7b2826363bbb448c3b56107cf
Opcode Fuzzy Hash: 3de0d47e10b47ed709c60a4ec3b8bbbcd2ebac327f4232837b5200f686ea9400
Instruction Fuzzy Hash: 4B21C7B140824FAEEF21DF60C848BEF3AA8FF05305F500526E941C6961DBB64DA8DF59

Function 00977314 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 00977376

Strings

\\?\, xrefs: 009773D1

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: 545b3cfe435c1e9aebacb1a13b7691550147640ca8d46da48040bac2879ca83e
Instruction ID: c9d559ef2d327e222d27826a4c5a1bde2dab0565af7bef802ab290fcae4695dc
Opcode Fuzzy Hash: 545b3cfe435c1e9aebacb1a13b7691550147640ca8d46da48040bac2879ca83e
Instruction Fuzzy Hash: 76312C32504609FFDF22DFD4DC09B9EBABABF48704F004154FA08A5060E7729961DF58

Function 00978A23 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00976D61: GetCurrentThreadId.KERNEL32 ref: 00976D70

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00978A87

Strings

.dll, xrefs: 00978A44

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CurrentHandleModuleThread
String ID: .dll
API String ID: 2752942033-2738580789
Opcode ID: 73a90e52de478f0b18c6ecf7fa7aaeb9e39ead97e364d47e04d3b21ae1b35e36
Instruction ID: 6eb0e0c49ca4a9385192b561e8534f7c9dc7b335f0a1ab36863fc496120fb606
Opcode Fuzzy Hash: 73a90e52de478f0b18c6ecf7fa7aaeb9e39ead97e364d47e04d3b21ae1b35e36
Instruction Fuzzy Hash: 7EF03077244205AFDF24DFA4C849B6F7BA5BF88340F10C416FE1D85152DB35C9A0AA61

Function 0097B4B0 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00B401D4,?,?,-11B25FEC,?,?,?,-11B25FEC,?), ref: 0097B562

Part of subcall function 0097B462: IsBadWritePtr.KERNEL32(?,00000004), ref: 0097B470

CreateFileA.KERNEL32(?,?,?,-11B25FEC,?,?,?,-11B25FEC,?), ref: 0097B582

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CreateFile$Write
String ID:
API String ID: 1125675974-0
Opcode ID: 30c2b4c1baaeb71cfb768ebcf10f01fd0bf51f3a6bdbff5b25bc078401d4fa06
Instruction ID: 0b7206e8a1d43e09ec843b89bb7e72345ffb8613d2f55e8508e55d2dfc3da921
Opcode Fuzzy Hash: 30c2b4c1baaeb71cfb768ebcf10f01fd0bf51f3a6bdbff5b25bc078401d4fa06
Instruction Fuzzy Hash: F511E43210410AFBDF129F94CD09BAE3E66BF58348F14C115BA09664B1C77A8AB1EB95

Function 0097AE1C Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00976D61: GetCurrentThreadId.KERNEL32 ref: 00976D70

GetCurrentProcess.KERNEL32(-11B25FEC), ref: 0097AE29
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0097AE8F

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessThread
String ID:
API String ID: 3748180921-0
Opcode ID: 2b685fae4eb9683731f99c7fdcaa934b39aa62801edc8957f2709e10c777eb7e
Instruction ID: 0545fd6b52aca69c7904076618d4fe2f44191077f02f2d4e6053b670f757788f
Opcode Fuzzy Hash: 2b685fae4eb9683731f99c7fdcaa934b39aa62801edc8957f2709e10c777eb7e
Instruction Fuzzy Hash: 1A01FB3310054AAB8F22AFA4CC49D9F3B29BFD87547108615F90990014D736D861EB62

Function 0097949B Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00979550

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f40777218582c8dd070db797397741de308962c904f10bed75f793a216603cf8
Instruction ID: c738d262be8f3d6bbcfb894a3fa437f4644e0f8e91b617c887a4c6f2a5dffc0a
Opcode Fuzzy Hash: f40777218582c8dd070db797397741de308962c904f10bed75f793a216603cf8
Instruction Fuzzy Hash: 00316872900204FADB219F65DC49F9ABBB8FF88314F20C129F909AA191D7719A51CB64

Function 00978CB7 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00978D39

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8996f50147a3232acd6a649ab4502b6ee0d03fa411775f9547320a3450120e2b
Instruction ID: 2713991136a4d00ed5ecbdea8d2d2b9cb6edab0bf96b35163a0d95d98a81f027
Opcode Fuzzy Hash: 8996f50147a3232acd6a649ab4502b6ee0d03fa411775f9547320a3450120e2b
Instruction Fuzzy Hash: 4E31D472640204BAEB30DF64DC49F9A77B8BB44728F208219F619EA0D1DBB1A552CF54

Function 00927C14 Relevance: 1.6, APIs: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00927C14

Memory Dump Source

Source File: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 35aeb0f6954b6a8ae31baf9dc39fbb8abbf85e6a488ee1e615e395e4500030f9
Instruction ID: b88c540647fbcee70d3cdc6f22e0060cab39a65eaf7be3ab0d0c89df94dd2394
Opcode Fuzzy Hash: 35aeb0f6954b6a8ae31baf9dc39fbb8abbf85e6a488ee1e615e395e4500030f9
Instruction Fuzzy Hash: 0011B1F728C2617EE201CAA57E14FFAA75DE7C3730F30482AF442EA686D29408055535

Function 00984B2C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00984BD9

Memory Dump Source

Source File: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: cbb9b0405bdf6c796d248973f0803cbac3c747c362edced47a8e9091622dd435
Instruction ID: a139c557d05fbeb4759ae00098324ba293811868976ec3c9a87e6cdd6fd8892d
Opcode Fuzzy Hash: cbb9b0405bdf6c796d248973f0803cbac3c747c362edced47a8e9091622dd435
Instruction Fuzzy Hash: 5611B271A032269BEF30AA058C48BEAB7BCEF14755F1180A5E985E6241D775DDC0CBF1

Function 04E40D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E40DCD

Memory Dump Source

Source File: 00000000.00000002.2260199906.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: e04a77beb77e7c7cd62bc7b7de513ce7d130cc45e2bfb52d5432a5d3e238f01d
Instruction ID: 2f46455191838e24ddae80368997571951ca082dca7ef038a637fe55bf8ad473
Opcode Fuzzy Hash: e04a77beb77e7c7cd62bc7b7de513ce7d130cc45e2bfb52d5432a5d3e238f01d
Instruction Fuzzy Hash: 132115B6C01219DFDB54CF99E884ADEFBF4EF88710F14816AD908AB205D734A544CBA5

Function 04E40D41 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E40DCD

Memory Dump Source

Source File: 00000000.00000002.2260199906.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 8378d4b9196546c984715ea2ddbd6e24ba51498f4fcb298438ceaae0022638bb
Instruction ID: 7d20a027b4a0ddb1f4e2ae4a634bdec21180fe1a793f43d7935806fc51a3e635
Opcode Fuzzy Hash: 8378d4b9196546c984715ea2ddbd6e24ba51498f4fcb298438ceaae0022638bb
Instruction Fuzzy Hash: C02138B6C00209CFDB44CF99E484BDEFBF1AF88310F14816AD908AB245D774A545CFA4

Function 04E41510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04E41580

Memory Dump Source

Source File: 00000000.00000002.2260199906.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: e22d07270b4d4fc9097458fd9f7bcd29b4df0ca217d9887e5d0843246278b167
Instruction ID: 2d37278cbc755e1372090a056b2385ad36790ade2d9428895aad5111988025cc
Opcode Fuzzy Hash: e22d07270b4d4fc9097458fd9f7bcd29b4df0ca217d9887e5d0843246278b167
Instruction Fuzzy Hash: 9311E4B1D00249DFDB10CF9AD584BDEFBF4EB88324F10802AE559A7251D378A644CFA5

Function 04E41509 Relevance: 1.6, APIs: 1, Instructions: 51serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 04E41580

Memory Dump Source

Source File: 00000000.00000002.2260199906.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: c9f1e017ec83f1790d4d5e69731e043d228a909e9cdb510003339cc3d7bf14c5
Instruction ID: aeef4be1280d6968709c615343d4ef72edb855815c092342c19c14e552eb7f17
Opcode Fuzzy Hash: c9f1e017ec83f1790d4d5e69731e043d228a909e9cdb510003339cc3d7bf14c5
Instruction Fuzzy Hash: D02114B5D00249CFDB10CF9AD544BDEFBF0AB48320F10842AD559A7250D778A644CFA5

Function 0097BDD0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f22989cabf53dcbc6d7fcf46f942ba79e2f580b4bce358b91a0e24c777943487
Instruction ID: 07791c023605bd0d1b06b8e6868086d0ac5ff12b4cb8f63505c295c6e6b03e46
Opcode Fuzzy Hash: f22989cabf53dcbc6d7fcf46f942ba79e2f580b4bce358b91a0e24c777943487
Instruction Fuzzy Hash: 4D110933100509EACF12AFA4D809BDF3BA9AF84344F10C414FA1996261C736C661EBA0

Function 04E41301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04E41367

Memory Dump Source

Source File: 00000000.00000002.2260199906.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 9fcde65c9a509f458cdc4a42bbb0d68cf0a3558ddc28e7179d4b4d4e0801da40
Instruction ID: 24e14e6f60582bdc8cca5443d9acd26d8bbaab185bc851b43e2c335eace9d4af
Opcode Fuzzy Hash: 9fcde65c9a509f458cdc4a42bbb0d68cf0a3558ddc28e7179d4b4d4e0801da40
Instruction Fuzzy Hash: CC116AB1800249CFDB10CF9AD585BEEFBF4EF88324F20841AD558A3240D738A540CFA5

Function 04E41308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 04E41367

Memory Dump Source

Source File: 00000000.00000002.2260199906.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 66c4fa0e99df15b53c54a69800c51101bca3caf38c42ea14f38742f3d49f2185
Instruction ID: 8acf2a703a43d31fd95072a0e1eb39e504c21cf70da03d5b8e15ec0b2e093507
Opcode Fuzzy Hash: 66c4fa0e99df15b53c54a69800c51101bca3caf38c42ea14f38742f3d49f2185
Instruction Fuzzy Hash: 3A1136B1800349CFDB10CF9AD445BEEFBF4EB88324F20845AD558A3650D778A584CFA5

Function 0097B6B4 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00976D61: GetCurrentThreadId.KERNEL32 ref: 00976D70

ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11B25FEC,?,?,009793E3,?,?,00000400,?,00000000,?,00000000), ref: 0097B720

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CurrentFileReadThread
String ID:
API String ID: 2348311434-0
Opcode ID: 316de0317782a98f0629e818fc4b3bde4fe148c05c14ebadb69cdcd518fc95f7
Instruction ID: a85b86293a7d91028370e6bb6128722dbfeb1e7b9b9ba60e0d1673b1400cb658
Opcode Fuzzy Hash: 316de0317782a98f0629e818fc4b3bde4fe148c05c14ebadb69cdcd518fc95f7
Instruction Fuzzy Hash: 6FF0C93720050AEBCF12AFA8CC49E9E3F66BF98790F108511F90995521D736C5B1EB61

Function 007AE3DA Relevance: 1.3, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17BD96D2), ref: 007AF415

Memory Dump Source

Source File: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d612dc8be41645d9dd36c4df0779bdbd757cabeb00d1275dd36f047f9765841a
Instruction ID: c0df4ff19347de1d38ecda027c619c158ea54d5917099d8de94250e778ce2d6a
Opcode Fuzzy Hash: d612dc8be41645d9dd36c4df0779bdbd757cabeb00d1275dd36f047f9765841a
Instruction Fuzzy Hash: 4E015E7660C769CFD704BF68840526EBBE0EF89310F11462DD9D5D3250E7715C609B92

Function 00976F32 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 00976F96

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: c39bcebc452a6d3c62721dd2f85423e571cfd0b3c2b27845631108e26341b6cf
Instruction ID: fb5faf1260926c43cae48f55d6cbcfa74f045cc43b8202173f037e566b315f38
Opcode Fuzzy Hash: c39bcebc452a6d3c62721dd2f85423e571cfd0b3c2b27845631108e26341b6cf
Instruction Fuzzy Hash: A501E836600909BFCF229FA4DC05EDEBF7AEF88340F404161F808A4160E7328661DF64

Function 00984756 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00984752,?,?,00984458,?,?,00984458,?,?,00984458), ref: 00984776

Memory Dump Source

Source File: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 30fc6ba36445c0bdf3116b9dbf0fdb98582ab28b5bc6c0fafcf79eb4845ea3fd
Instruction ID: 2a4245890c9719f5c583fcad6a91bc51182c96fdd020cdbe6b39c2fc19082d89
Opcode Fuzzy Hash: 30fc6ba36445c0bdf3116b9dbf0fdb98582ab28b5bc6c0fafcf79eb4845ea3fd
Instruction Fuzzy Hash: DEF08CB5900206EFE7258F04CD05B99BFF4FF49761F108068F44A9B291E7B598C0CB90

Function 00979AB5 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00976D61: GetCurrentThreadId.KERNEL32 ref: 00976D70

CloseHandle.KERNELBASE(00979478,-11B25FEC,?,?,00979478,?), ref: 00979AF3

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CloseCurrentHandleThread
String ID:
API String ID: 3305057742-0
Opcode ID: 5fd3849630e78bc7d2806eb496d3833ffd054b9a0f4d3dc8d4e6faa1e20d7bbd
Instruction ID: fbbd2e9a0782f7c0509386fb325f3aa079ceff8dc8f63a3a4e1dc035054b3430
Opcode Fuzzy Hash: 5fd3849630e78bc7d2806eb496d3833ffd054b9a0f4d3dc8d4e6faa1e20d7bbd
Instruction Fuzzy Hash: 08E04F73200406BACE20BBB8DC0EF4F2F29AFD5B40710C121F40E85055EB35C192CA71

Function 007AE8E0 Relevance: 1.3, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007AE8E0

Memory Dump Source

Source File: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 91a22ff30720bbd1830333d4beaad3d9fa7e8b9c1dc0bcf1c4436260959e250f
Instruction ID: 796057ee12eed68c6888186b67f08f3ff81aee5b85b7f26e091486a3ba38e798
Opcode Fuzzy Hash: 91a22ff30720bbd1830333d4beaad3d9fa7e8b9c1dc0bcf1c4436260959e250f
Instruction Fuzzy Hash: 51D092F400C648CBC744AF2490440BDBAE0EA06385F12492DE8C282B20E3354895DB07

Function 00978B7A Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00976C00,?,?), ref: 00978B80

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6730776d8cc5079bd0ad6b7faf5532c6596cf6b84238f35e41350889a2918242
Instruction ID: c4e4a2c895ca9ce58318da4f08e18fb12dba41c466c034c710aac63eeb0e38ac
Opcode Fuzzy Hash: 6730776d8cc5079bd0ad6b7faf5532c6596cf6b84238f35e41350889a2918242
Instruction Fuzzy Hash: DFB09B3200010C77CF01BF51DC1594DBF65BF55754B40C110F90584065DB71D560DBD0

Non-executed Functions

Function 0097AEAE Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00976D61: GetCurrentThreadId.KERNEL32 ref: 00976D70

GetSystemTime.KERNEL32(?,-11B25FEC), ref: 0097AEE3
GetFileTime.KERNEL32(?,?,?,?,-11B25FEC), ref: 0097AF26

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: Time$CurrentFileSystemThread
String ID:
API String ID: 2191017843-0
Opcode ID: eddcd4b42091ce405cc14efb9cbf3c0ca9c72b149628ad9ac0498efa3630d5c9
Instruction ID: 12aad75b7846b3e1ce91d6d9af8ddadeacfa8067377172f8ac8e367178d038ab
Opcode Fuzzy Hash: eddcd4b42091ce405cc14efb9cbf3c0ca9c72b149628ad9ac0498efa3630d5c9
Instruction Fuzzy Hash: D701E87320044AEBDF22AF59DC08E8F7F75FFD5751B108125F40A85461D77A88A1EB61

Function 0097BD6C Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 0097BDB3

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: b659a237e8c54ee20f322746f80c4066d41baf099563f142ba7d71a2c6af3629
Instruction ID: 53b661d22264d72d032ee1fdb24ac0b4ebbc8e491c0d86fee3242c0c4ce6db93
Opcode Fuzzy Hash: b659a237e8c54ee20f322746f80c4066d41baf099563f142ba7d71a2c6af3629
Instruction Fuzzy Hash: A4F0F87260020AEFCF11CFA4C904A8D7BB2FF09314F10C129F919A6151D3759A60EF40

Function 009214B3 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f35ae514879fbbd17a871242be3e011e3d16788af7d141f585434adb1a4154
Instruction ID: 86530fb5d699a7d5822f9388dc5d8ea818a1d65f0e3c14ec20a451729e7b1cc0
Opcode Fuzzy Hash: 16f35ae514879fbbd17a871242be3e011e3d16788af7d141f585434adb1a4154
Instruction Fuzzy Hash: 304114F260C2049FE308BF28EC9677AB7E5EB54310F16853CE6C597384EA396804C657

Function 00924C01 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ece7d19df6b96efb865606170adf06b02f9f5fb0511d453c52a2cd55006d0fb
Instruction ID: 9671082f2053266a32ce0827c823d2c6f94fb5b20d383cd0b449f2ca720bfa0b
Opcode Fuzzy Hash: 4ece7d19df6b96efb865606170adf06b02f9f5fb0511d453c52a2cd55006d0fb
Instruction Fuzzy Hash: C431F2B250C600DFE309AF69D88266EFBE5FF98311F528D2DE6D486614D73454808B97

Function 00924C08 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44fed9cb9de38c4a94d8268bf2ad702f5c1e16539d9a4fb73480577fbb0b54b
Instruction ID: 127fcdce83926be9c14090d5e1875d6764d0b55ebe458dfcb1426891bcf72aab
Opcode Fuzzy Hash: d44fed9cb9de38c4a94d8268bf2ad702f5c1e16539d9a4fb73480577fbb0b54b
Instruction Fuzzy Hash: 2A3111B250C600DFE319AF69D88266AFBE5FF98311F528D2DE6C483224D7359480CB97

Function 0097A3E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00976D61: GetCurrentThreadId.KERNEL32 ref: 00976D70

Part of subcall function 0097B462: IsBadWritePtr.KERNEL32(?,00000004), ref: 0097B470

wsprintfA.USER32 ref: 0097A42A
LoadImageA.USER32(?,?,?,?,?,?), ref: 0097A4EE

Strings

%8x, xrefs: 0097A4B8, 0097A4EB
%8x, xrefs: 0097A425, 0097A428

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: CurrentImageLoadThreadWritewsprintf
String ID: %8x$%8x
API String ID: 439219941-2046107164
Opcode ID: d7d94d27b123f0f9dfd2c0c22e5b0a475589c9d4bb2d8bb73633f534c05ef705
Instruction ID: c2f2a46b59e4157cfdf719ae541d8cc77fc554818782ea3801d463cf3da0181f
Opcode Fuzzy Hash: d7d94d27b123f0f9dfd2c0c22e5b0a475589c9d4bb2d8bb73633f534c05ef705
Instruction Fuzzy Hash: 3A31123290010AFBCF119F94DC09FAEBB79FF88700F108126FA15A61A1D7719A61DBA1

Function 0097AFB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(00B401D4,00004020,00000000,-11B25FEC), ref: 0097B0A2

Strings

@, xrefs: 0097AFE1

Memory Dump Source

Source File: 00000000.00000002.2258109845.0000000000972000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.2257591907.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257604107.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257616684.00000000007A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257632556.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257652991.00000000007B4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257666714.00000000007B5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257702215.00000000007B6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257850139.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257866302.000000000090E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257889113.000000000092F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257935492.0000000000933000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257954610.0000000000937000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257975613.0000000000938000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2257998836.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258034400.000000000095E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258060147.0000000000960000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258085909.0000000000968000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258134245.000000000097C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258154442.000000000097F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258172641.0000000000980000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258190216.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258215198.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258233611.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258252331.00000000009A0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258269018.00000000009A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258291805.00000000009AC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258310818.00000000009AD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258329997.00000000009B9000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258347442.00000000009BB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258364770.00000000009BC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258385567.00000000009C3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258407126.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258425253.00000000009CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258444532.00000000009D3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258463658.00000000009D6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258488767.00000000009F2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258506385.00000000009F5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258537109.0000000000A31000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258556115.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258576699.0000000000A3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258614189.0000000000A4C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2258631922.0000000000A4E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7a0000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: efefd458b8b79acdf7c1d11aea0eb4149567b70153489a3c7bf89e4d5cb07947
Instruction ID: be8637ca341e547db3c63e1041115c7866d8bac6acf4e78d8eab219b33f5900f
Opcode Fuzzy Hash: efefd458b8b79acdf7c1d11aea0eb4149567b70153489a3c7bf89e4d5cb07947
Instruction Fuzzy Hash: 67318C72604605EFDB258F54C848B9FBBB4FF48300F108519E86967650C375AAA1DB80

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 5028, Parent PID: 4004

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 5028, Parent PID: 4004COMMON

Execution Graph

Graph

Windows Analysis Report
file.exe

Function 009843B3 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 009246DE Relevance: 1.6, APIs: 1, Instructions: 109
libraryCOMMON

Function 00978434 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 00984DDF Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Function 0097893A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 0097B294 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Function 00931080 Relevance: 4.6, APIs: 3, Instructions: 55
registryCOMMON

Function 00977314 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 00978A23 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 0097B4B0 Relevance: 3.1, APIs: 2, Instructions: 57
fileCOMMON

Function 0097AE1C Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 0097949B Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 00978CB7 Relevance: 1.6, APIs: 1, Instructions: 92
fileCOMMON

Function 00927C14 Relevance: 1.6, APIs: 1, Instructions: 89
fileCOMMON

Function 00984B2C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON