Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562492
MD5:	62999b3ca5005da29eb4d0853c5fa789
SHA1:	8512b3a7ac2f37b19b0a75586859d724b857b6c6
SHA256:	0fd8b2570b5b38cb65325116d2ea01d414876f903cf72c26a1733a1d6f35bd22
Tags:	exeHealeruser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 62999B3CA5005DA29EB4D0853C5FA789)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmp, file.exe, 00000005.00000003.1279993226.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0113E19A

5_2_0113E19A

Source: file.exe, 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000005.00000002.1415544313.000000000096E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 42%

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2813440 > 1048576

Source: file.exe

Static PE information: Raw size of vfzorowi is bigger than: 0x100000 < 0x2a8e00

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 5.2.file.exe.fb0000.0.unpack :EW;.rsrc:W;.idata :W;vfzorowi:EW;ahyfouxz:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2b673e should be: 0x2b4d1b

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: vfzorowi
Source: file.exe	Static PE information: section name: ahyfouxz
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114B303 push edx; mov dword ptr [esp], ecx	5_2_0114E3B4
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114B303 push esi; mov dword ptr [esp], ecx	5_2_0114F67D
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FBE6F5 push eax; mov dword ptr [esp], ebp	5_2_00FBF5AB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113D7A8 push eax; mov dword ptr [esp], 7F5EA5DEh	5_2_0113D7BE
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113D7A8 push 5AB1CBC9h; mov dword ptr [esp], ebx	5_2_0113D7FF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113D7A8 push ebx; mov dword ptr [esp], 7FDFF500h	5_2_0113D823
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113D7A8 push 17F3F8EBh; mov dword ptr [esp], edx	5_2_0113D8DE
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113D635 push ecx; mov dword ptr [esp], ebx	5_2_0113D675
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113D635 push ecx; mov dword ptr [esp], edi	5_2_0113D6CF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114A6D2 push ebp; mov dword ptr [esp], eax	5_2_0114A6EB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_01141B07 push ecx; ret	5_2_01141C49
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FC10F8 push esi; mov dword ptr [esp], ecx	5_2_00FC1B0E
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114A100 push ebp; mov dword ptr [esp], 7D7B1445h	5_2_0114A14A
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FC10DB push 5286BDE7h; mov dword ptr [esp], ebp	5_2_00FC3B34
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_01146133 push ecx; mov dword ptr [esp], eax	5_2_01146143
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FBF0CE push edi; mov dword ptr [esp], edx	5_2_00FBF0EF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00FC10A1 push 7DC382D4h; mov dword ptr [esp], esi	5_2_00FC10A7
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114B17F push 42AB8620h; mov dword ptr [esp], eax	5_2_0114C348
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114B17F push ecx; mov dword ptr [esp], edx	5_2_0114D0C8
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114A16A push esi; mov dword ptr [esp], 37FA07B9h	5_2_0114A16B
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114A16A push 00EEC0DAh; mov dword ptr [esp], eax	5_2_0114A178
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113E19A push 29A32291h; mov dword ptr [esp], edx	5_2_0113E1AB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113E19A push ebx; mov dword ptr [esp], ecx	5_2_0113E1DF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113E19A push ebx; mov dword ptr [esp], eax	5_2_0113E2B2
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113E19A push ebp; mov dword ptr [esp], esp	5_2_0113E2CC
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_011D818F push ecx; mov dword ptr [esp], eax	5_2_011D8227
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_011D818F push ebx; mov dword ptr [esp], ecx	5_2_011D8242
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0114A186 push 384B9DD1h; mov dword ptr [esp], ecx	5_2_0114FCD5
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113E187 push 29A32291h; mov dword ptr [esp], edx	5_2_0113E1AB
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113E187 push ebx; mov dword ptr [esp], ecx	5_2_0113E1DF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0113E187 push ebx; mov dword ptr [esp], eax	5_2_0113E2B2

Source: file.exe

Static PE information: section name: entropy: 7.793247849511672

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBDD8B second address: FBDDA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18B8B86245h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBDDA4 second address: FBDDB7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F18B9954E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBDDB7 second address: FBDDC1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F18B8B86236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113D498 second address: 113D4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E4Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113D64D second address: 113D653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113D653 second address: 113D65C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113D65C second address: 113D666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F18B8B86236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113D666 second address: 113D66A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113D903 second address: 113D910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F18B8B86236h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114156A second address: FBDD8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 add dword ptr [esp], 0C146347h 0x0000000c mov dl, ah 0x0000000e push dword ptr [ebp+122D1611h] 0x00000014 mov dword ptr [ebp+122D2220h], esi 0x0000001a add edi, dword ptr [ebp+122D3C5Fh] 0x00000020 call dword ptr [ebp+122D207Ch] 0x00000026 pushad 0x00000027 pushad 0x00000028 js 00007F18B9954E48h 0x0000002e sbb edx, 17B4E6AFh 0x00000034 popad 0x00000035 xor eax, eax 0x00000037 mov dword ptr [ebp+122D1CF1h], ecx 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 pushad 0x00000042 movzx ebx, di 0x00000045 xor bh, 0000006Ah 0x00000048 popad 0x00000049 mov dword ptr [ebp+122D3BFBh], eax 0x0000004f jno 00007F18B9954E4Ch 0x00000055 mov esi, 0000003Ch 0x0000005a jmp 00007F18B9954E54h 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 jno 00007F18B9954E47h 0x00000069 sub dword ptr [ebp+122D1CF1h], ecx 0x0000006f lodsw 0x00000071 jo 00007F18B9954E5Fh 0x00000077 pushad 0x00000078 jmp 00007F18B9954E53h 0x0000007d mov ax, 2DC1h 0x00000081 popad 0x00000082 add eax, dword ptr [esp+24h] 0x00000086 xor dword ptr [ebp+122D1CF1h], edx 0x0000008c mov dword ptr [ebp+122D1EEFh], ecx 0x00000092 mov ebx, dword ptr [esp+24h] 0x00000096 jmp 00007F18B9954E4Fh 0x0000009b nop 0x0000009c push eax 0x0000009d push edx 0x0000009e jmp 00007F18B9954E50h 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11415B8 second address: 1141616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B86244h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F18B8B8623Bh 0x0000000e popad 0x0000000f push eax 0x00000010 jno 00007F18B8B86244h 0x00000016 nop 0x00000017 mov esi, dword ptr [ebp+122D3C8Fh] 0x0000001d cld 0x0000001e push 00000000h 0x00000020 and dh, FFFFFF90h 0x00000023 push D91468BCh 0x00000028 pushad 0x00000029 jmp 00007F18B8B8623Ah 0x0000002e jc 00007F18B8B8623Ch 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1141616 second address: 11416B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 26EB97C4h 0x0000000c mov dword ptr [ebp+122D2184h], ecx 0x00000012 mov dx, si 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F18B9954E48h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 or esi, 5C18251Bh 0x00000037 push 00000000h 0x00000039 mov ecx, dword ptr [ebp+122D21BCh] 0x0000003f push 00000003h 0x00000041 or dword ptr [ebp+122D1E19h], edx 0x00000047 push 6425324Eh 0x0000004c jmp 00007F18B9954E54h 0x00000051 add dword ptr [esp], 5BDACDB2h 0x00000058 jo 00007F18B9954E4Ch 0x0000005e lea ebx, dword ptr [ebp+124574B5h] 0x00000064 mov esi, ebx 0x00000066 push eax 0x00000067 pushad 0x00000068 pushad 0x00000069 jmp 00007F18B9954E52h 0x0000006e pushad 0x0000006f popad 0x00000070 popad 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11416B1 second address: 11416B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1141704 second address: 114172D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F18B9954E59h 0x0000000b jmp 00007F18B9954E53h 0x00000010 popad 0x00000011 push eax 0x00000012 jbe 00007F18B9954E4Eh 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114172D second address: 11417DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 add edi, 46AB6E99h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F18B8B86238h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dl, ch 0x0000002a and dh, 00000041h 0x0000002d push 6C4D9A8Fh 0x00000032 pushad 0x00000033 jmp 00007F18B8B8623Fh 0x00000038 jmp 00007F18B8B8623Ch 0x0000003d popad 0x0000003e xor dword ptr [esp], 6C4D9A0Fh 0x00000045 mov esi, dword ptr [ebp+122D3BE3h] 0x0000004b push 00000003h 0x0000004d jmp 00007F18B8B86241h 0x00000052 add edx, 23189316h 0x00000058 push 00000000h 0x0000005a mov dword ptr [ebp+122D2A76h], ebx 0x00000060 push 00000003h 0x00000062 add dword ptr [ebp+122D2A76h], edx 0x00000068 mov edx, dword ptr [ebp+122D39FFh] 0x0000006e push E8EFCBB0h 0x00000073 push eax 0x00000074 push edx 0x00000075 jo 00007F18B8B8624Eh 0x0000007b jmp 00007F18B8B86248h 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11417DF second address: 11417E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11418F6 second address: 1141905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1141905 second address: 114191D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18B9954E54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114191D second address: 114199F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B8623Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F18B8B8623Bh 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 jmp 00007F18B8B86240h 0x0000001c push ebx 0x0000001d jmp 00007F18B8B86249h 0x00000022 pop ebx 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 pushad 0x00000029 jmp 00007F18B8B86241h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F18B8B86249h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 114199F second address: 1141A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F18B9954E48h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 adc edi, 7F19AE72h 0x0000002b sub dword ptr [ebp+122D20C9h], edx 0x00000031 push 00000003h 0x00000033 movzx edi, cx 0x00000036 push 00000000h 0x00000038 jmp 00007F18B9954E4Eh 0x0000003d push 00000003h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007F18B9954E48h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 00000017h 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 sub dword ptr [ebp+122D2104h], edx 0x0000005f call 00007F18B9954E49h 0x00000064 push eax 0x00000065 push edx 0x00000066 push edi 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1141A33 second address: 1141A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1141A38 second address: 1141A4F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F18B9954E4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1141A4F second address: 1141AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F18B8B8623Bh 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push esi 0x00000015 jmp 00007F18B8B8623Ah 0x0000001a pop esi 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e jp 00007F18B8B86240h 0x00000024 pushad 0x00000025 jp 00007F18B8B86236h 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 jmp 00007F18B8B86248h 0x00000037 pop eax 0x00000038 je 00007F18B8B8623Ch 0x0000003e mov dword ptr [ebp+122D2284h], edi 0x00000044 lea ebx, dword ptr [ebp+124574C9h] 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007F18B8B86238h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 0000001Ah 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 movzx edx, bx 0x00000067 push eax 0x00000068 push ebx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115338B second address: 115338F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160C04 second address: 1160C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160D5E second address: 1160D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160D62 second address: 1160D66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160D66 second address: 1160D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E57h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F18B9954E46h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160D8E second address: 1160D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1160D92 second address: 1160D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161043 second address: 1161090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 jmp 00007F18B8B86243h 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jbe 00007F18B8B86236h 0x00000015 jmp 00007F18B8B8623Ah 0x0000001a jmp 00007F18B8B8623Fh 0x0000001f popad 0x00000020 jmp 00007F18B8B8623Bh 0x00000025 push edx 0x00000026 push esi 0x00000027 pop esi 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161325 second address: 1161348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F18B9954E4Bh 0x0000000b jmp 00007F18B9954E52h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161348 second address: 116135C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B86240h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116135C second address: 1161370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F18B9954E4Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11614F6 second address: 11614FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11617A2 second address: 11617B0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F18B9954E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11617B0 second address: 11617B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11617B4 second address: 11617B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11617B8 second address: 11617BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115864F second address: 1158666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E51h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1158666 second address: 115866B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 115866B second address: 1158675 instructions: 0x00000000 rdtsc 0x00000002 je 00007F18B9954E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1161EA5 second address: 1161EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11623D8 second address: 11623DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11623DC second address: 11623ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F18B8B86236h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162657 second address: 1162675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E58h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162675 second address: 1162691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F18B8B86236h 0x0000000a popad 0x0000000b jng 00007F18B8B8623Eh 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11627BD second address: 11627D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F18B9954E4Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11627D2 second address: 11627D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1162A2B second address: 1162A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1132147 second address: 113215D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B8B8623Dh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113215D second address: 1132161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116872F second address: 1168742 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F18B8B86238h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168742 second address: 1168746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168746 second address: 116874C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168B1A second address: 1168B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168B1E second address: 1168B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1168B24 second address: 1168B2E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F18B9954E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116E924 second address: 116E928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116E928 second address: 116E93B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop esi 0x0000000e pop edi 0x0000000f push ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116E93B second address: 116E941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116EC10 second address: 116EC4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E50h 0x00000007 pushad 0x00000008 jmp 00007F18B9954E57h 0x0000000d jmp 00007F18B9954E51h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116ED86 second address: 116ED8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116ED8E second address: 116ED94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116ED94 second address: 116EDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F18B8B86241h 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F18B8B86249h 0x00000014 js 00007F18B8B86236h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 116EF1D second address: 116EF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F18B9954E4Bh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11709BB second address: 11709C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11709C1 second address: 11709C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170B10 second address: 1170B15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170C56 second address: 1170C89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18B9954E58h 0x00000008 jmp 00007F18B9954E4Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170C89 second address: 1170C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170C8D second address: 1170C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1170C91 second address: 1170C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11712CE second address: 11712D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11712D2 second address: 1171326 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F18B8B86236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], ebx 0x0000000e jl 00007F18B8B8623Ch 0x00000014 jns 00007F18B8B86236h 0x0000001a nop 0x0000001b pushad 0x0000001c jmp 00007F18B8B86241h 0x00000021 jmp 00007F18B8B86245h 0x00000026 popad 0x00000027 push eax 0x00000028 push ebx 0x00000029 pushad 0x0000002a jmp 00007F18B8B8623Ch 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1171482 second address: 1171487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1171487 second address: 117148D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117148D second address: 1171491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11726E5 second address: 11726EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173FCE second address: 1173FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 je 00007F18B9954E4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174C9B second address: 1174D0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F18B8B86238h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D3A6Fh] 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007F18B8B86238h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 cmc 0x0000004a push 00000000h 0x0000004c mov si, bx 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F18B8B86241h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174A68 second address: 1174A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174D0C second address: 1174D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174A6C second address: 1174A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174D12 second address: 1174D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F18B8B86236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1174A70 second address: 1174A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1175FC8 second address: 1175FCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117AB07 second address: 117AB0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C11F second address: 117C123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C123 second address: 117C129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117B200 second address: 117B212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18B8B8623Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C129 second address: 117C130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117D132 second address: 117D140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18B8B8623Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117D140 second address: 117D166 instructions: 0x00000000 rdtsc 0x00000002 je 00007F18B9954E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F18B9954E57h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117C2CC second address: 117C39D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F18B8B86248h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d movzx edi, si 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push esi 0x00000018 movsx ebx, ax 0x0000001b pop edi 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007F18B8B86238h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d mov bl, 42h 0x0000003f call 00007F18B8B86243h 0x00000044 adc bx, EEC4h 0x00000049 pop ebx 0x0000004a mov eax, dword ptr [ebp+122D0EA5h] 0x00000050 jmp 00007F18B8B8623Bh 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push ebp 0x0000005a call 00007F18B8B86238h 0x0000005f pop ebp 0x00000060 mov dword ptr [esp+04h], ebp 0x00000064 add dword ptr [esp+04h], 0000001Ch 0x0000006c inc ebp 0x0000006d push ebp 0x0000006e ret 0x0000006f pop ebp 0x00000070 ret 0x00000071 sub edi, 531ABD3Ah 0x00000077 nop 0x00000078 pushad 0x00000079 js 00007F18B8B8623Ch 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007F18B8B86241h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117D166 second address: 117D1DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F18B9954E48h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 or dword ptr [ebp+122D1E19h], ebx 0x0000002a push 00000000h 0x0000002c mov di, cx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F18B9954E48h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b or dword ptr [ebp+122D2104h], esi 0x00000051 xchg eax, esi 0x00000052 push ecx 0x00000053 jc 00007F18B9954E4Ch 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117D1DB second address: 117D1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jp 00007F18B8B86244h 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117D1EB second address: 117D1EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117E0E8 second address: 117E180 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B86248h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jmp 00007F18B8B86243h 0x00000010 pop edi 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F18B8B86238h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c jns 00007F18B8B8623Ch 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F18B8B86238h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov dword ptr [ebp+1245ED30h], ebx 0x00000054 push 00000000h 0x00000056 sub ebx, dword ptr [ebp+122D1E54h] 0x0000005c movzx edi, ax 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 push esi 0x00000064 pop esi 0x00000065 jnc 00007F18B8B86236h 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117E180 second address: 117E18A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F18B9954E4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F1D2 second address: 117F1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F1D6 second address: 117F1DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117E404 second address: 117E408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F4B2 second address: 117F4C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F4C4 second address: 117F4CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117F4CA second address: 117F4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11803B7 second address: 11803BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118048A second address: 1180490 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1180490 second address: 1180494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118156F second address: 118157D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118157D second address: 1181583 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1182440 second address: 1182444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184313 second address: 1184319 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184319 second address: 118431F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118251B second address: 1182525 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118431F second address: 1184331 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F18B9954E46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1184331 second address: 118433C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F18B8B86236h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118433C second address: 1184343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1185352 second address: 11853A6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F18B8B86236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, edx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F18B8B86238h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c pushad 0x0000002d or dword ptr [ebp+122D1CF1h], edi 0x00000033 mov ax, 39E4h 0x00000037 popad 0x00000038 mov dword ptr [ebp+122D3242h], edx 0x0000003e push 00000000h 0x00000040 pushad 0x00000041 mov cx, 6A1Eh 0x00000045 mov dword ptr [ebp+122D23BDh], ecx 0x0000004b popad 0x0000004c xchg eax, esi 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push esi 0x00000051 pop esi 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1185673 second address: 1185678 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1188710 second address: 1188714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1186767 second address: 118676B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1188714 second address: 118871A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1183623 second address: 1183629 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1183629 second address: 118362F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118362F second address: 1183633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118BB29 second address: 118BB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118A885 second address: 118A8A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118A95D second address: 118A962 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118F826 second address: 118F835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 118F835 second address: 118F83B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1129C59 second address: 1129C5F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119BE0F second address: 119BE1B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007F18B8B86236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119BE1B second address: 119BE24 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 113736E second address: 1137374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B948 second address: 119B99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jl 00007F18B9954E46h 0x00000011 jmp 00007F18B9954E55h 0x00000016 jmp 00007F18B9954E54h 0x0000001b popad 0x0000001c push ecx 0x0000001d jmp 00007F18B9954E59h 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 119B99E second address: 119B9A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1EC8 second address: 11A1ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1ECE second address: 11A1EE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F18B8B86240h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1EE1 second address: 11A1EFE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F18B9954E50h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1EFE second address: 11A1F3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B86246h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jnc 00007F18B8B8623Ch 0x00000013 jg 00007F18B8B86236h 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c jc 00007F18B8B86236h 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push ebx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1F3B second address: 11A1F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1FDD second address: 11A1FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A1FE6 second address: 11A1FEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8CD6 second address: 11A8CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A7FE3 second address: 11A8001 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E50h 0x00000007 ja 00007F18B9954E46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8830 second address: 11A8839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8839 second address: 11A885E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F18B9954E4Fh 0x0000000e push ecx 0x0000000f jmp 00007F18B9954E4Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A89D1 second address: 11A89E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B8623Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A89E3 second address: 11A89EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F18B9954E46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8B62 second address: 11A8B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F18B8B86236h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8B7E second address: 11A8B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11A8B82 second address: 11A8B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF1AA second address: 11AF1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E4Dh 0x00000009 popad 0x0000000a jo 00007F18B9954E4Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AF1C4 second address: 11AF1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AE251 second address: 11AE255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AE255 second address: 11AE25B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AE25B second address: 11AE265 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F18B9954E52h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AE265 second address: 11AE283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F18B8B86236h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F18B8B8623Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AE6DB second address: 11AE6F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E52h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AEBC4 second address: 11AEBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jne 00007F18B8B86236h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11AEBD2 second address: 11AEBF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F18B9954E56h 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F18B9954E46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B497B second address: 11B4981 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1177CAB second address: 1177CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1177CAF second address: 1177D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F18B8B86238h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+1248D9CCh] 0x0000002a mov dword ptr [ebp+122D1D0Bh], edx 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 jl 00007F18B8B8624Ah 0x00000039 jmp 00007F18B8B86244h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1177D05 second address: 115864F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F18B9954E4Bh 0x0000000f nop 0x00000010 or dword ptr [ebp+122D27FFh], edi 0x00000016 call dword ptr [ebp+122D2058h] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F18B9954E52h 0x00000024 pushad 0x00000025 popad 0x00000026 push edx 0x00000027 pop edx 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1178251 second address: 1178256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11783A2 second address: 11783A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11783A8 second address: 11783AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11783AE second address: 11783B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11783B2 second address: 11783B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11783B6 second address: 11783C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11783C4 second address: FBDD8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+122D3C03h] 0x0000000e push dword ptr [ebp+122D1611h] 0x00000014 xor edx, 3B777033h 0x0000001a jns 00007F18B8B8623Bh 0x00000020 call dword ptr [ebp+122D207Ch] 0x00000026 pushad 0x00000027 pushad 0x00000028 js 00007F18B8B86238h 0x0000002e pushad 0x0000002f popad 0x00000030 sbb edx, 17B4E6AFh 0x00000036 popad 0x00000037 xor eax, eax 0x00000039 mov dword ptr [ebp+122D1CF1h], ecx 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 pushad 0x00000044 movzx ebx, di 0x00000047 xor bh, 0000006Ah 0x0000004a popad 0x0000004b mov dword ptr [ebp+122D3BFBh], eax 0x00000051 jno 00007F18B8B8623Ch 0x00000057 mov esi, 0000003Ch 0x0000005c jmp 00007F18B8B86244h 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 jno 00007F18B8B86237h 0x0000006b sub dword ptr [ebp+122D1CF1h], ecx 0x00000071 lodsw 0x00000073 jo 00007F18B8B8624Fh 0x00000079 pushad 0x0000007a jmp 00007F18B8B86243h 0x0000007f mov ax, 2DC1h 0x00000083 popad 0x00000084 add eax, dword ptr [esp+24h] 0x00000088 xor dword ptr [ebp+122D1CF1h], edx 0x0000008e mov dword ptr [ebp+122D1EEFh], ecx 0x00000094 mov ebx, dword ptr [esp+24h] 0x00000098 jmp 00007F18B8B8623Fh 0x0000009d nop 0x0000009e push eax 0x0000009f push edx 0x000000a0 jmp 00007F18B8B86240h 0x000000a5 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117846B second address: 11784BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F18B9954E52h 0x0000000c pop esi 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F18B9954E59h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jg 00007F18B9954E54h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11784BB second address: 11784DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18B8B8623Ah 0x00000008 jmp 00007F18B8B8623Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11784DF second address: 11784E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11784E3 second address: 11784E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11784E7 second address: 117851C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F18B9954E55h 0x0000000b popad 0x0000000c pop eax 0x0000000d mov dword ptr [ebp+122D38F2h], ecx 0x00000013 mov cx, si 0x00000016 push 0AAF7606h 0x0000001b push eax 0x0000001c push edx 0x0000001d ja 00007F18B9954E48h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11785C0 second address: 11785C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117878B second address: 11787B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 jmp 00007F18B9954E55h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F18B9954E46h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1178D28 second address: 1178D8A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F18B8B86238h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F18B8B86238h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 call 00007F18B8B86247h 0x0000002a mov ecx, dword ptr [ebp+12467E99h] 0x00000030 pop edi 0x00000031 push 0000001Eh 0x00000033 nop 0x00000034 push ebx 0x00000035 jmp 00007F18B8B86240h 0x0000003a pop ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179019 second address: 1179023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F18B9954E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179023 second address: 1179043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d jmp 00007F18B8B8623Ch 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11790CE second address: 1179159 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F18B9954E48h 0x0000000c popad 0x0000000d nop 0x0000000e sub edx, dword ptr [ebp+122D2099h] 0x00000014 lea eax, dword ptr [ebp+1248DA10h] 0x0000001a mov edi, dword ptr [ebp+1247C15Ch] 0x00000020 push eax 0x00000021 jmp 00007F18B9954E4Ah 0x00000026 mov dword ptr [esp], eax 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007F18B9954E48h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 xor dword ptr [ebp+12470756h], edi 0x00000049 lea eax, dword ptr [ebp+1248D9CCh] 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007F18B9954E48h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000016h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 sub edx, dword ptr [ebp+122D3C37h] 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179159 second address: 1179160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1179160 second address: 1159193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jl 00007F18B9954E48h 0x00000012 movzx ecx, di 0x00000015 call dword ptr [ebp+122D1E73h] 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159193 second address: 1159197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1159197 second address: 11591A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3B01 second address: 11B3B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3B05 second address: 11B3B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3B0B second address: 11B3B26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18B8B86246h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3B26 second address: 11B3B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3C8A second address: 11B3CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B8B86249h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3CA7 second address: 11B3CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3CAB second address: 11B3CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F18B8B86242h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3CC6 second address: 11B3CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3DFF second address: 11B3E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3E05 second address: 11B3E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B3E0D second address: 11B3E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007F18B8B86236h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B4561 second address: 11B4567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B964C second address: 11B9652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9652 second address: 11B9656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11B9656 second address: 11B965C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE1B8 second address: 11BE1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE1C3 second address: 11BE1C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE465 second address: 11BE4B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E55h 0x00000007 pushad 0x00000008 jmp 00007F18B9954E4Fh 0x0000000d jnp 00007F18B9954E46h 0x00000013 jmp 00007F18B9954E55h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE4B2 second address: 11BE4B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE62F second address: 11BE633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE633 second address: 11BE642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F18B8B86236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE642 second address: 11BE647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE77C second address: 11BE788 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F18B8B8623Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BE8CB second address: 11BE8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BEA33 second address: 11BEA65 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007F18B8B86236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F18B8B86238h 0x00000012 jns 00007F18B8B8623Eh 0x00000018 popad 0x00000019 je 00007F18B8B8624Ah 0x0000001f pushad 0x00000020 jng 00007F18B8B86236h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BEBE4 second address: 11BEBF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F18B9954E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F18B9954E4Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BED62 second address: 11BED90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007F18B8B86259h 0x0000000b jmp 00007F18B8B8623Bh 0x00000010 jmp 00007F18B8B86248h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11BDA8C second address: 11BDA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C6077 second address: 11C60B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B86243h 0x00000007 jmp 00007F18B8B86244h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F18B8B86242h 0x00000016 jnc 00007F18B8B86236h 0x0000001c jnp 00007F18B8B86236h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C60B6 second address: 11C60C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F18B9954E46h 0x0000000a je 00007F18B9954E46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C60C6 second address: 11C60CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C5C42 second address: 11C5C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F18B9954E58h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F18B9954E46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C5C69 second address: 11C5C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C947F second address: 11C9487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C9487 second address: 11C948B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C948B second address: 11C949B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F18B9954E46h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C949B second address: 11C94C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e pushad 0x0000000f jmp 00007F18B8B86246h 0x00000014 ja 00007F18B8B86236h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C94C7 second address: 11C94E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18B9954E52h 0x00000008 jl 00007F18B9954E46h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C8CEA second address: 11C8CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C8E90 second address: 11C8EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F18B9954E51h 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C8EAF second address: 11C8EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C8EB5 second address: 11C8EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C8EB9 second address: 11C8ED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F18B8B86240h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C8ED1 second address: 11C8EDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F18B9954E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C9036 second address: 11C9042 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F18B8B86236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11C91A0 second address: 11C91A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CEA34 second address: 11CEA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CEA38 second address: 11CEA3E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CEE18 second address: 11CEE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1178BC8 second address: 1178BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1178BCC second address: 1178BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CF258 second address: 11CF25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11CF25C second address: 11CF265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D36C0 second address: 11D36D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F18B9954E51h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D36D7 second address: 11D36EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F18B8B86242h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D3A23 second address: 11D3A45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F18B9954E54h 0x0000000f pushad 0x00000010 jc 00007F18B9954E46h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D810D second address: 11D8127 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F18B8B86236h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F18B8B8623Bh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D79CE second address: 11D79DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D79DD second address: 11D79E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7E24 second address: 11D7E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F18B9954E55h 0x00000008 jmp 00007F18B9954E50h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7E51 second address: 11D7E96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B86240h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F18B8B86246h 0x00000013 jmp 00007F18B8B86243h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7E96 second address: 11D7E9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11D7E9B second address: 11D7EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DFC5A second address: 11DFC5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DDEC4 second address: 11DDED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F18B8B86236h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DE2FE second address: 11DE309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DE309 second address: 11DE30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DEB5A second address: 11DEB5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11DEB5E second address: 11DEB6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F18B8B86236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5147 second address: 11E5156 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5C83 second address: 11E5C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5C87 second address: 11E5CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F18B9954E55h 0x0000000e jns 00007F18B9954E46h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11E5CAC second address: 11E5CB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EABDC second address: 11EAC0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F18B9954E59h 0x0000000b js 00007F18B9954E46h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007F18B9954E4Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EAC0F second address: 11EAC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EAC19 second address: 11EAC1F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EAC1F second address: 11EAC29 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F18B8B8623Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EAC29 second address: 11EAC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11EAC30 second address: 11EAC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2A5F second address: 11F2A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2A63 second address: 11F2A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F18B8B86236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2A73 second address: 11F2A7D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F18B9954E46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2A7D second address: 11F2A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2D29 second address: 11F2D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2D2D second address: 11F2D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2D31 second address: 11F2D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2D37 second address: 11F2D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2D3D second address: 11F2D73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E51h 0x00000007 jmp 00007F18B9954E58h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F18B9954E62h 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2D73 second address: 11F2D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jnp 00007F18B8B86236h 0x0000000c jl 00007F18B8B86236h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2EA2 second address: 11F2ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E52h 0x00000009 popad 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007F18B9954E4Eh 0x00000012 jc 00007F18B9954E46h 0x00000018 push edi 0x00000019 pop edi 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d push edi 0x0000001e pop edi 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2ED3 second address: 11F2ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2ED9 second address: 11F2EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F2081 second address: 11F20AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F18B8B8623Ch 0x00000008 jnl 00007F18B8B86236h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F18B8B86247h 0x00000015 jnp 00007F18B8B86236h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F9A76 second address: 11F9A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F18B9954E58h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F9A93 second address: 11F9A99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F9A99 second address: 11F9A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F9BC2 second address: 11F9BF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B8B86244h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F18B8B8624Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11F9BF5 second address: 11F9BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12064B6 second address: 12064D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F18B8B86236h 0x0000000a jmp 00007F18B8B86248h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120A1C4 second address: 120A1DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F18B9954E53h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120A1DD second address: 120A1F7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F18B8B86236h 0x00000008 jp 00007F18B8B86236h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120A1F7 second address: 120A20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F18B9954E46h 0x0000000a popad 0x0000000b pushad 0x0000000c jnl 00007F18B9954E46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1209B67 second address: 1209B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007F18B8B86236h 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F18B8B86242h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1209B8A second address: 1209BA3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F18B9954E46h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F18B9954E46h 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1209BA3 second address: 1209BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1209D1E second address: 1209D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jl 00007F18B9954E52h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120BBEC second address: 120BBF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120BA7B second address: 120BA89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F18B9954E52h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 120BA89 second address: 120BA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212345 second address: 121235A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F18B9954E4Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121235A second address: 121235F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1212490 second address: 12124A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E4Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121C44E second address: 121C45E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jbe 00007F18B8B86236h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121C2F0 second address: 121C2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121C2FB second address: 121C301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 121C301 second address: 121C305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122341B second address: 1223420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1223420 second address: 122343F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F18B9954E46h 0x00000009 jmp 00007F18B9954E54h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 122343F second address: 122349A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F18B8B86246h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F18B8B86238h 0x00000014 pushad 0x00000015 jmp 00007F18B8B86243h 0x0000001a jmp 00007F18B8B86242h 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F18B8B8623Bh 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1223D63 second address: 1223D77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F18B9954E50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12280DB second address: 12280DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1228222 second address: 1228241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F18B9954E46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F18B9954E51h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1237268 second address: 123726E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 123726E second address: 1237272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124C2D9 second address: 124C2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 112B756 second address: 112B76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E50h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B59D second address: 124B5BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F18B8B86248h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B9BD second address: 124B9C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124B9C1 second address: 124B9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124BE30 second address: 124BE3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124BE3D second address: 124BE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124BE41 second address: 124BE45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124BE45 second address: 124BE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124BE50 second address: 124BE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1255FB2 second address: 1255FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1255FFE second address: 1256002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1256002 second address: 125600C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F18B8B86236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125600C second address: 1256011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1256011 second address: 1256028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F18B8B86236h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F18B8B86236h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1257BC3 second address: 1257BC9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F52B second address: 124F533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F533 second address: 124F539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F810 second address: 124F816 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F816 second address: 124F820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F18B9954E46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 124F820 second address: 124F824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12507D4 second address: 12507D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 117343D second address: 1173442 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173442 second address: 1173469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F18B9954E59h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1173469 second address: 117346F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FBDE21 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: FBDCFE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 11687F5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 118BB95 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 6EC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0113D635 rdtsc

5_2_0113D635

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 7496

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0119F258 GetSystemInfo,VirtualAlloc,

5_2_0119F258

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, file.exe, 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0113D635 rdtsc

5_2_0113D635

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, file.exe, 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmp

Binary or memory string: UProgram Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_01194DC8 GetSystemTime,GetFileTime,

5_2_01194DC8

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	261 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	ReversingLabs	Win32.Infostealer.Tinba
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562492
Start date and time:	2024-11-25 16:21:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com, time.windows.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.499952362890072
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'813'440 bytes
MD5:	62999b3ca5005da29eb4d0853c5fa789
SHA1:	8512b3a7ac2f37b19b0a75586859d724b857b6c6
SHA256:	0fd8b2570b5b38cb65325116d2ea01d414876f903cf72c26a1733a1d6f35bd22
SHA512:	acb504dc190caf3789758c035e8522b057f601e5f8c6d5deb5968d3e248b9cc68e3e804bba8783bce6800b8cf9f6f9a3b1f1c02e82641d76ed17259cc635750e
SSDEEP:	49152:j9210JI1IUwJRaXjgkZPzMLJ01CDkyCTqsiz:x210JItwJRaX0uPzMuJg
TLSH:	65D54C52BC45B1CBE48A1BB5512BCE829D2D07F90B3504C7AC6DB5BE7E63CC511BAC28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`+.. ...`....@.. ........................+.....>g+...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6b6000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F18B884765Ah
bswap esp
sub al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F18B8849655h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+02h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lahf
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jnle 00007F18B88475D2h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aam 04h
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lahf
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	dde5b4630e986a378539c56d51becd33	False	0.9327256944444444	data	7.793247849511672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vfzorowi	0xa000	0x2aa000	0x2a8e00	d93316814d17c13ebf4a3de996f2dfcc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ahyfouxz	0x2b4000	0x2000	0x400	d8ec53fc4087893fa8aef6c0d8256f9c	False	0.78125	data	5.987408728722672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2b6000	0x4000	0x2200	1362755e1008c957bd85911f5e591016	False	0.06881893382352941	DOS executable (COM)	0.7585848594105997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	5
Start time:	10:22:06
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xfb0000
File size:	2'813'440 bytes
MD5 hash:	62999B3CA5005DA29EB4D0853C5FA789
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	5.1%
Total number of Nodes:	312
Total number of Limit Nodes:	19

Executed Functions

Function 0119F258 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11315FEC), ref: 0119F264
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 0119F2C5

Memory Dump Source

Source File: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 5cdb997830d5eabcfdba823fb9d7220baba6bb1d66dc5eebfd447d5d3c197c15
Instruction ID: ef6bddb1f2bba01aa18c386a14170b928369e8c8e36e4056e1f6bf8168620a24
Opcode Fuzzy Hash: 5cdb997830d5eabcfdba823fb9d7220baba6bb1d66dc5eebfd447d5d3c197c15
Instruction Fuzzy Hash: 264112B6D44207ABE729DF64C855F96BBACFF08741F0040A2A712CD982D77495D5CBE0

Function 0113D635 Relevance: 1.6, APIs: 1, Instructions: 133
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0113D638

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0da1d4874948244da89ff930396d9228992ca054dadf5661e5a00858bf25b72f
Instruction ID: e42f8df1565c3d265bb022504d232ede151373c137b6f3cb7f9d26ed0bd32d22
Opcode Fuzzy Hash: 0da1d4874948244da89ff930396d9228992ca054dadf5661e5a00858bf25b72f
Instruction Fuzzy Hash: 98417FF610C300AFE705AE09ED816BAFBE9EF84360F16892DE6C582610D73559409BA7

Function 0119234E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?), ref: 0119245F
LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 01192473

Strings

1002, xrefs: 01192429
.exe, xrefs: 011923BA
.dll, xrefs: 01192396

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: .dll$.exe$1002
API String ID: 1029625771-847511843
Opcode ID: 314bb8b799a9349dca00b39b187d7aa4c62c73c06dbfea6f68def0793e361520
Instruction ID: 75541a244bbd6b519237a590c41a946dab51267ce0516bb43dafe4bd3fa7cc07
Opcode Fuzzy Hash: 314bb8b799a9349dca00b39b187d7aa4c62c73c06dbfea6f68def0793e361520
Instruction Fuzzy Hash: 28319E7580420AFFDF2EAF54D904AAE7FB9FF18314F018169F92297160C77199A0CB92

Function 01192854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,011927E6,?,00000000,00000000), ref: 01192911
GetModuleHandleA.KERNEL32(00000000,?,?,?,011927E6,?,00000000,00000000), ref: 0119291F

Strings

.dll, xrefs: 01192887

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: HandleModule
String ID: .dll
API String ID: 4139908857-2738580789
Opcode ID: 6c7fb0db8f302a1089b9925b3b6ef8b48fa5c566a4e856ee17145c9d6032e162
Instruction ID: 65f0c479b94c6d358f922ff0653a5e630ea5f472295de7b438eb6ecd8583f054
Opcode Fuzzy Hash: 6c7fb0db8f302a1089b9925b3b6ef8b48fa5c566a4e856ee17145c9d6032e162
Instruction Fuzzy Hash: C7112A3150074AFEEF3DAF28C848BA97AB4BF20345F044225F625494E4DBB591E4DAD2

Function 0114B303 Relevance: 4.6, APIs: 3, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0114EAD5
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0114EAFC
GetNativeSystemInfo.KERNELBASE(?), ref: 0114EB53

Memory Dump Source

Source File: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: 70d035b7ec0f103f9e6fcf9dbab699a4336c6e66898cfc3b4e2a650c289fd902
Instruction ID: 3d3109c584e689aa1a4d2254a4c21b2849c3c7fb7a11313aaa6fe660677868a6
Opcode Fuzzy Hash: 70d035b7ec0f103f9e6fcf9dbab699a4336c6e66898cfc3b4e2a650c289fd902
Instruction Fuzzy Hash: 57312A7110510EDFEF15DF54C849AEF3BA8FF05715F02042AE98282941E7BA4DA4CF6A

Function 00FBE6F5 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00FBE6F5

Strings

f1&}, xrefs: 00FBFA5F
7o&, xrefs: 00FBF5B1

Memory Dump Source

Source File: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: 7o&$f1&}
API String ID: 4275171209-953520011
Opcode ID: 0575fefa5d4cecddd365175fe6d478bf0d58b8eedceebc00e23396436c2b0777
Instruction ID: 73e892d4e1fa8c03a9b1eee9e578e92d2abbc65c03f19414ae7b810cd8df1374
Opcode Fuzzy Hash: 0575fefa5d4cecddd365175fe6d478bf0d58b8eedceebc00e23396436c2b0777
Instruction Fuzzy Hash: CDF0F4B360C2099FC3041E7E9C488AB7BE9DAC6331B36032DF456C3784DA7289458622

Function 0119122E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathAddExtensionA.KERNELBASE(?,00000000), ref: 01191290

Strings

\\?\, xrefs: 011912EB

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: ExtensionPath
String ID: \\?\
API String ID: 158807944-4282027825
Opcode ID: 488138546b900285770da13847e051b9bd877f273774b47600118af123f8e7df
Instruction ID: 35c5a8e0990b6635cfbdeb6aa8fa1af67b1b8ec7924617a07339bfe918174897
Opcode Fuzzy Hash: 488138546b900285770da13847e051b9bd877f273774b47600118af123f8e7df
Instruction Fuzzy Hash: 5A313D75A0020ABFEF26DF98C809B9EBB7AFF84364F000195FA11A5490D37296A1DB55

Function 0119293D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01190C7B: GetCurrentThreadId.KERNEL32 ref: 01190C8A

GetModuleHandleExA.KERNELBASE(?,?,?), ref: 011929A1

Strings

.dll, xrefs: 0119295E

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CurrentHandleModuleThread
String ID: .dll
API String ID: 2752942033-2738580789
Opcode ID: 5f1e29c8481369f59bf67236f4c5e8b4c05d44952730de47ed8212e62cfcd22f
Instruction ID: b23c7d04373b360303c72dc3842422f6a2c891a6bfef34967e4b539906418441
Opcode Fuzzy Hash: 5f1e29c8481369f59bf67236f4c5e8b4c05d44952730de47ed8212e62cfcd22f
Instruction Fuzzy Hash: F9F0907120030ABFDF199F68D884B5E3BA8FF183A8F108010FD254A051D371C5609A52

Function 0114A6D2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0114A6E4

Strings

zx|O, xrefs: 0114A984

Memory Dump Source

Source File: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: zx|O
API String ID: 1029625771-449694967
Opcode ID: bc954ded7d4472c5aff188a38db4824f32b821fb16553ea3a1ac5174e84de394
Instruction ID: 37ecbdba093e774de3799ec4fe46ab560323edcce5d424314257b46de57af867
Opcode Fuzzy Hash: bc954ded7d4472c5aff188a38db4824f32b821fb16553ea3a1ac5174e84de394
Instruction Fuzzy Hash: 6EF015B541CB00EBCB08AF19D48056DFBE0BF94B20F43891DA5C683614E33958A18B47

Function 01194D36 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01190C7B: GetCurrentThreadId.KERNEL32 ref: 01190C8A

GetCurrentProcess.KERNEL32(-11315FEC), ref: 01194D43
DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01194DA9

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: Current$DuplicateHandleProcessThread
String ID:
API String ID: 3748180921-0
Opcode ID: e8b1b602ad78e147df7f9f280b37b3f0dda6c5e23162d98cb5022803bf69822f
Instruction ID: 80f75dccd267ffe6f0a3666d21cb8290387a3933133a89041fa6422abf58e7cf
Opcode Fuzzy Hash: e8b1b602ad78e147df7f9f280b37b3f0dda6c5e23162d98cb5022803bf69822f
Instruction Fuzzy Hash: 0601FB3610014ABB9F2AAFA8DE44CAF3BBAFFA82587004215F92594510C735D062DB62

Function 0119FC84 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e996bfd139ee32d967aadc5e32a4e5413a45e173934d18095ea1d338c8378dd
Instruction ID: 8c7b5bd4c48745946214ddf4c701ca8b7c3d7b295fb48ace1afc6c040e459eba
Opcode Fuzzy Hash: 3e996bfd139ee32d967aadc5e32a4e5413a45e173934d18095ea1d338c8378dd
Instruction Fuzzy Hash: 7A417C71904107BFEF29CF18D944BADBFA1FF01314F158455E922EA142C371A8A1CBA1

Function 011933B5 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 0119346A

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6b417de9905f0fc8868720365861deaa42a48bd2c58259ad6c5d11ee645305a6
Instruction ID: 5a113cea26ba2408e3f401b529e7aa9b2b3125fd5c17daa911cd01ec6133dea8
Opcode Fuzzy Hash: 6b417de9905f0fc8868720365861deaa42a48bd2c58259ad6c5d11ee645305a6
Instruction Fuzzy Hash: 1E316B75910205BEEF259F68DC44F9EBBB8FB04314F208265F626AB190C771A9518B50

Function 0113D7A8 Relevance: 1.6, APIs: 1, Instructions: 103
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0113D7A8

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2a8705d8c5c4bb14470e368d6c20c674a841e31f6eef05afcaf1196546fd4ec8
Instruction ID: d5a8760010bf57829c71c8124990a3c4d593235b001e6020b098046ba6637b4b
Opcode Fuzzy Hash: 2a8705d8c5c4bb14470e368d6c20c674a841e31f6eef05afcaf1196546fd4ec8
Instruction Fuzzy Hash: C83135B240C200AFE746AF58D88166EFBF8FF94760F12482DE6D592610D7354890DB57

Function 01192BD1 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 01192C53

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 52ace39e94ae77ac22d107b0839a6569740c053d6861244deb613d48e42c7323
Instruction ID: 4b3f74f3ed645c863cbe43308a3335d0646d0049244394b366b8452744747be6
Opcode Fuzzy Hash: 52ace39e94ae77ac22d107b0839a6569740c053d6861244deb613d48e42c7323
Instruction Fuzzy Hash: DB31A771A40205BFEF359F54ED45F99B7B8FF04728F204355F625AA0D1C3B1A5818B94

Function 01141648 Relevance: 1.6, APIs: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 011416D0

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 55646acdf47e2112296f85bb7b9e25d14daf54a858de3287d2b8454395eb96f2
Instruction ID: 782d5c567709210a6d69bef4b3a7b328e3d0023cefc8588999b8a0315969aa47
Opcode Fuzzy Hash: 55646acdf47e2112296f85bb7b9e25d14daf54a858de3287d2b8454395eb96f2
Instruction Fuzzy Hash: ED2168B35482163FE30D9E60AD50BFE7B7DE783A30F25851AF90696582D3C06E80413A

Function 0119F9D1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 0119FA7E

Memory Dump Source

Source File: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: ab7a68c77769318276852a89db410b676514f2542b03ee883c240e3a5f1f6b82
Instruction ID: 9b03f5f7a08383d16e0bd99ed1f337e3d3d19b737ae98adee873a706d89ec644
Opcode Fuzzy Hash: ab7a68c77769318276852a89db410b676514f2542b03ee883c240e3a5f1f6b82
Instruction Fuzzy Hash: 4711B472A0122ABFEF298A088C48BEA7F7CAF44754F004091E955D6045D778D9CACAA1

Function 070A0D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 070A0DCD

Memory Dump Source

Source File: 00000005.00000002.1418320283.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_70a0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: ab21e6503feffd1df2ccf60ea322f105979b6fc560af007882856efacda19a92
Instruction ID: 411d93b9eb763bc1b24529f5f79260576c7d9c9e8a3d4795a5b1601c4a5cff87
Opcode Fuzzy Hash: ab21e6503feffd1df2ccf60ea322f105979b6fc560af007882856efacda19a92
Instruction Fuzzy Hash: 0B2149B6C012199FCB50CF99D884BDEFBF0EB88310F14821AD908AB245D7349541CFA4

Function 070A0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 070A0DCD

Memory Dump Source

Source File: 00000005.00000002.1418320283.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_70a0000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c304e22aacf63409d3a9d276077131e2549873aa3f341e21179e0fe6018a83dd
Instruction ID: 3945549363ed3ea932febebffad50f30cbbd69c8047e44882320afa2bb04a27a
Opcode Fuzzy Hash: c304e22aacf63409d3a9d276077131e2549873aa3f341e21179e0fe6018a83dd
Instruction Fuzzy Hash: 172127B6C012199FCB50DF99D884BDEFBF4EB88320F14861AD808AB244D774A541CFA4

Function 070A1509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 070A1580

Memory Dump Source

Source File: 00000005.00000002.1418320283.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_70a0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: f5567dd24e29c46b183f773d23c9486cbc48aacdc4b62eee235d1a6d225abc4b
Instruction ID: 707ea8848b74e1e82260e7093a1de973866e5f7e753cda10a8873ec24978e180
Opcode Fuzzy Hash: f5567dd24e29c46b183f773d23c9486cbc48aacdc4b62eee235d1a6d225abc4b
Instruction Fuzzy Hash: 0D2106B5D00349DFDB20CF9AC584BDEBBF4EB48320F108529E559A7250C378A645CFA5

Function 070A1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(?,?,?), ref: 070A1580

Memory Dump Source

Source File: 00000005.00000002.1418320283.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_70a0000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: ec65efb23c59643cde85585435bdb6fabdc55c09afb4cf4555b7c24b32fe675d
Instruction ID: 51002bf6627e4aedf56cec8c8f72ef634c078d0e74e272c04485a46fc8ba2746
Opcode Fuzzy Hash: ec65efb23c59643cde85585435bdb6fabdc55c09afb4cf4555b7c24b32fe675d
Instruction Fuzzy Hash: C711F4B1D003499FDB20CF9AC544BDEBBF4AB48320F108129E958A3240D378A545CFA5

Function 070A1301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 070A1367

Memory Dump Source

Source File: 00000005.00000002.1418320283.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_70a0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 26f4384767a5fa544c407bfa25ce94c70945067b491e09cbc119ed198b15858e
Instruction ID: 22f6feddbddfcc51fbbabf6b540c252c51a301f002c64b4d5926923f24f1a965
Opcode Fuzzy Hash: 26f4384767a5fa544c407bfa25ce94c70945067b491e09cbc119ed198b15858e
Instruction Fuzzy Hash: CB1113B1D00249DFDB20DF9AC545BEEBBF4EB48320F14842AD558A7240C778A945CFA5

Function 070A1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 070A1367

Memory Dump Source

Source File: 00000005.00000002.1418320283.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_70a0000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: ad8b9bbe3b85ed609f5079e7ff166026aafd45ade543e8db98c2db9f96cb9d9e
Instruction ID: 8fd6b79195a6a951e83e716045f74c19220998954e224350a021466642038458
Opcode Fuzzy Hash: ad8b9bbe3b85ed609f5079e7ff166026aafd45ade543e8db98c2db9f96cb9d9e
Instruction Fuzzy Hash: F51125B1C003499FDB20DF9AC545BEEBBF4EB48320F10842AD558A3240C778A945CFA5

Function 0114166E Relevance: 1.5, APIs: 1, Instructions: 45fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 011416D0

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c139e650afe08d1c925f2e084a98409d943e9471dfc21f6191d2987a91ecd016
Instruction ID: fa22babe1d3c674fd9c9620ebef591bf9f9dba782f71fb1ab3b1ee93cc86fce2
Opcode Fuzzy Hash: c139e650afe08d1c925f2e084a98409d943e9471dfc21f6191d2987a91ecd016
Instruction Fuzzy Hash: 37F059B38882563FE31D9E516D04AFABB2CDB92670B2A412FE85AD1542D3C0ADC44537

Function 01141815 Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 01141863

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d659ac04951f652440ae0d5cd6a06b0b19c05ec8262895b3e93674fd4d62aafd
Instruction ID: 25e0a66dbef6ebcbfed8a5ebc5c667540ad214af9fff6be92b123b53255a183f
Opcode Fuzzy Hash: d659ac04951f652440ae0d5cd6a06b0b19c05ec8262895b3e93674fd4d62aafd
Instruction Fuzzy Hash: DAF078B3418263BFF3199F249C947B97FA8EF91954F12016CD84587480C3743CC08765

Function 01141B07 Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 01141B1D

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4834276201dff3a485b2974356ddcced3f2e4a35aec35c3890ff3e64aef7dcc2
Instruction ID: 1b26f811a32d48ce34bbff541eac5acad4c6c76f0222fc6e5bf2f5922ca25bfe
Opcode Fuzzy Hash: 4834276201dff3a485b2974356ddcced3f2e4a35aec35c3890ff3e64aef7dcc2
Instruction Fuzzy Hash: AA01BC7244C3C51BC70A9F7898A469ABFA5EF42228F2982CED4818B0C3D3A81C518B16

Function 0114184D Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 01141863

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6eb6de2b47545b0c7492714e6a770c9c3705b3f8ff79d60a9e6d8bd588cf42bd
Instruction ID: 12afc958c56a4ee901ec015113642834c903fc0030543518bfee3c0483910130
Opcode Fuzzy Hash: 6eb6de2b47545b0c7492714e6a770c9c3705b3f8ff79d60a9e6d8bd588cf42bd
Instruction Fuzzy Hash: 5EF059B29082537FF75AA7388C492B82B68DFA2A60B064B79D495D71C1C32138C28291

Function 011416BC Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 011416D0

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 59ef12ab8014c83ddc85ce261001b73c7162434d2766beb1cc0fc6b86075fd06
Instruction ID: 184a8d7219cdd19885452b867358a3f85c1275bd6e31461733de00778b22ad12
Opcode Fuzzy Hash: 59ef12ab8014c83ddc85ce261001b73c7162434d2766beb1cc0fc6b86075fd06
Instruction Fuzzy Hash: FFE061939C97913DD11495EC5C91FED575CCB63E75F359569F152CA0C2C39038C14132

Function 0114169D Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 011416D0

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 16f73d749ef0e9a9b9eb76b18976df0d3f63a4e79f06d0f32ea0a8b9c23e5e39
Instruction ID: 62254cd6e0e60f6c50e5ab779eded98a45b8cdf0d6d0169df27fb00071771397
Opcode Fuzzy Hash: 16f73d749ef0e9a9b9eb76b18976df0d3f63a4e79f06d0f32ea0a8b9c23e5e39
Instruction Fuzzy Hash: 44E020534C82613DE114A9887E246F9D76CD793630B304129E417C51C2C3C016445131

Function 01141838 Relevance: 1.5, APIs: 1, Instructions: 32fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 01141863

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: efaeba2bfa57647d59140e32864c08a5d623774dbfed0c62407a7392c4b9db9c
Instruction ID: ca5ba6fb7b4f9dffc3a122e7a14298fde05d5a7da400ed7fb88ac1789c18416c
Opcode Fuzzy Hash: efaeba2bfa57647d59140e32864c08a5d623774dbfed0c62407a7392c4b9db9c
Instruction Fuzzy Hash: 84E0ABF28081237FF61A9734CC483F43BA8EB91A40B06446CD44197281C3203CC28391

Function 01190E4C Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 01190EB0

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 86e3643fbd15faf11e316837eaa6768790db3349c2c63050f1437e7f94133c1e
Instruction ID: 1f759ccf2fb0dcb6701fbf47a3e6945d7dfa593e2e79346e5e8720e4fb15aff4
Opcode Fuzzy Hash: 86e3643fbd15faf11e316837eaa6768790db3349c2c63050f1437e7f94133c1e
Instruction Fuzzy Hash: 2101E436A0012ABFDF259FA8DC08DDFBF7AEF48744F004165B512A4160E7328A61DB60

Function 0119F5FB Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,0119F5F7,?,?,0119F2FD,?,?,0119F2FD,?,?,0119F2FD), ref: 0119F61B

Memory Dump Source

Source File: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e0dd67fd3dd9297a81a9346ae6522bfdcee3689433f9333a342bec298987a31a
Instruction ID: bdc9b019a67428cedf79fcfe76f412c1b6f40dd81c7d43e3a9f892923e8ee30f
Opcode Fuzzy Hash: e0dd67fd3dd9297a81a9346ae6522bfdcee3689433f9333a342bec298987a31a
Instruction Fuzzy Hash: CBF06DB1904306EFEB258F54C909B59BFA4FF88751F10C069E65A9B1A1E3B194C1CB94

Function 011939CF Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 01190C7B: GetCurrentThreadId.KERNEL32 ref: 01190C8A

CloseHandle.KERNELBASE(01193392,-11315FEC,?,?,01193392,?), ref: 01193A0D

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CloseCurrentHandleThread
String ID:
API String ID: 3305057742-0
Opcode ID: 4b40ca4b578a7a6be732b927764112839ba2b596f63b9e635b298b2840241438
Instruction ID: 1bf0eb2b7c79fdca04b8f2cbb34b2b9115f1a5f9acca7d7908b7ef29878953be
Opcode Fuzzy Hash: 4b40ca4b578a7a6be732b927764112839ba2b596f63b9e635b298b2840241438
Instruction Fuzzy Hash: 93E04F73A10146B6CF28ABBDD84CD4F7A6DFFA56AC7004531F522D5050CB68D092C6A1

Function 00FBF63D Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00FBF9B5

Memory Dump Source

Source File: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9b313ea345d5ef0c7e04aebd9fb75eb05254fa60d6fb2e1eb3962d9d9e9dcab2
Instruction ID: d04a0c74f334d6e2122430dad86fb43d79c4c85a52de64d9c467d541cd84c1d5
Opcode Fuzzy Hash: 9b313ea345d5ef0c7e04aebd9fb75eb05254fa60d6fb2e1eb3962d9d9e9dcab2
Instruction Fuzzy Hash: 7CD0CA7201C20AEEEB422F518800BFDBBF5EB28311F11091AE8C284940C3320CA0EE06

Function 01192A94 Relevance: 1.3, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,01190B1A,?,?), ref: 01192A9A

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e6e98a43014b1d5a8795547c40f258fa7d573c142c3c90fd3d9e8d45a8ce283c
Instruction ID: db4ac6de8594d1cb0cd1a195b21b45fa349446d5c93076e748acf1629ab6d941
Opcode Fuzzy Hash: e6e98a43014b1d5a8795547c40f258fa7d573c142c3c90fd3d9e8d45a8ce283c
Instruction Fuzzy Hash: 5BB09B310101097FCF11BF51DC0584D7F65FF1165C7008110B915454208775D57097D4

Non-executed Functions

Function 01194DC8 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON

Download Yara Rule

APIs

Part of subcall function 01190C7B: GetCurrentThreadId.KERNEL32 ref: 01190C8A

GetSystemTime.KERNEL32(?,-11315FEC), ref: 01194DFD
GetFileTime.KERNEL32(?,?,?,?,-11315FEC), ref: 01194E40

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: Time$CurrentFileSystemThread
String ID:
API String ID: 2191017843-0
Opcode ID: 4bc8b97a86413ede3ae7e0ab88653dc5ba00b3d3ba097f15762fe83c54c3913f
Instruction ID: 9fcdb35cd4af83ffa7a6348de1245e3ee1d57c80ff295fad4ac920068fc655ad
Opcode Fuzzy Hash: 4bc8b97a86413ede3ae7e0ab88653dc5ba00b3d3ba097f15762fe83c54c3913f
Instruction Fuzzy Hash: 6501783210404AEBCF299F68DD0CD8F3F79FF89710B014122F42189828C736C8A2DA62

Function 0113E19A Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

Io~, xrefs: 0113E234

Memory Dump Source

Source File: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID:
String ID: Io~
API String ID: 0-30186602
Opcode ID: 34ad9714de9ec23c1a62361d3887b3c4f81479fdf06c4db69cbc8556a06f1522
Instruction ID: 61d66c28d3956d9332c6e3de399f2d789fa52814e19804b9568d7de131a6b387
Opcode Fuzzy Hash: 34ad9714de9ec23c1a62361d3887b3c4f81479fdf06c4db69cbc8556a06f1522
Instruction Fuzzy Hash: 3A417EB290D210EFD755AE19D885AAEFBE5FF98320F06482DEAC883650D7354850CB97

Function 011942FE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 01190C7B: GetCurrentThreadId.KERNEL32 ref: 01190C8A

wsprintfA.USER32 ref: 01194344
LoadImageA.USER32(?,?,?,?,?,?), ref: 01194408

Strings

%8x, xrefs: 011943D2, 01194405
%8x, xrefs: 0119433F, 01194342

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: CurrentImageLoadThreadwsprintf
String ID: %8x$%8x
API String ID: 896354329-2046107164
Opcode ID: f3a61257d339d99af30839d636fef831fe78a54a653ea9f7d34ee80af194f1fd
Instruction ID: d3d25a49faafa20aa5678aba51a66495c3215d6701e2ee07f1cc1e14f7269023
Opcode Fuzzy Hash: f3a61257d339d99af30839d636fef831fe78a54a653ea9f7d34ee80af194f1fd
Instruction Fuzzy Hash: 3231173190010ABFDF15DFA4DD48EEEBB79FF98314F108125FA21A61A0C7719A61DB91

Function 01194ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(009A53BC,00004020,00000000,-11315FEC), ref: 01194FBC

Strings

@, xrefs: 01194EFB

Memory Dump Source

Source File: 00000005.00000002.1416417748.000000000118B000.00000040.00000001.01000000.00000004.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000005.00000002.1415948391.0000000000FB0000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1415963225.0000000000FB2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416058056.0000000000FB6000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416074677.0000000000FBA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416090103.0000000000FC4000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416104920.0000000000FC5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416119416.0000000000FC6000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416208685.0000000001128000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416222087.000000000112A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416236591.000000000113A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416247875.000000000113B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.000000000113C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416262931.0000000001145000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416290734.0000000001150000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416302407.0000000001151000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416315397.0000000001159000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416329257.000000000115A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416343329.0000000001162000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416357261.0000000001163000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416375453.0000000001178000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416388578.000000000117A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416401669.0000000001181000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416432037.0000000001195000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416444839.0000000001197000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416465155.00000000011B7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416479406.00000000011BA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416493746.00000000011BB000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416508795.00000000011C6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416524745.00000000011C7000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416538909.00000000011CA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416554162.00000000011D1000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416568966.00000000011D5000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416583472.00000000011DC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416598612.00000000011E0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416613356.00000000011E8000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416628472.00000000011EB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416642550.00000000011F3000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416656809.00000000011F6000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416674490.0000000001202000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416688570.0000000001204000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.000000000124E000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416717626.0000000001255000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416750938.0000000001264000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1416765810.0000000001266000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_fb0000_file.jbxd

Similarity

API ID: AttributesFile
String ID: @
API String ID: 3188754299-2726393805
Opcode ID: 5ebc740aa8be3de7e5203d8bab4bdafaed2c03d5ea709775374ce321c49db080
Instruction ID: d69b8e0d9816a645dc88df525c6d0208a7e688095092f5db7b3015d6c312f147
Opcode Fuzzy Hash: 5ebc740aa8be3de7e5203d8bab4bdafaed2c03d5ea709775374ce321c49db080
Instruction Fuzzy Hash: 53318D71504306EFEF28CF48C94879ABFB0FF04314F008529E96667A50C374A6A6CB81

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 7272, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 7272, Parent PID: 4056COMMON

Execution Graph

Graph

Executed Functions

Windows Analysis Report
file.exe

Function 0119F258 Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 0113D635 Relevance: 1.6, APIs: 1, Instructions: 133
libraryCOMMON

Function 0119234E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
libraryCOMMON

Function 01192854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 0114B303 Relevance: 4.6, APIs: 3, Instructions: 84
registryCOMMON

Function 00FBE6F5 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 43
memoryCOMMON

Function 0119122E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
COMMON

Function 0119293D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 0114A6D2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
libraryCOMMON

Function 01194D36 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Function 0119FC84 Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Function 011933B5 Relevance: 1.6, APIs: 1, Instructions: 103
fileCOMMON

Function 0113D7A8 Relevance: 1.6, APIs: 1, Instructions: 103
libraryCOMMON