Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562725
MD5:	d821ac834f35b06fb131da343b7e6c9c
SHA1:	d473013e11fd925375dafa82db9f3964f1280900
SHA256:	e9e4689b18e965bb2559fb88fc7c2b22e59e672bf26d40355dab04117f2df18e
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

AI detected suspicious sample

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Hides threads from debuggers

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D821AC834F35B06FB131DA343B7E6C9C)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00DB26F6 CryptVerifySignatureA,

0_2_00DB26F6

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2082038128.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmp

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D52783	0_2_00D52783
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D78876	0_2_00D78876
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E61DDB	0_2_00E61DDB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE7FF0	0_2_00DE7FF0

Source: file.exe, 00000000.00000002.2216361705.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2071888709.0000000000BC6000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior

Source: file.exe

Static file information: File size 2854400 > 1048576

Source: file.exe

Static PE information: Raw size of xzcmddim is bigger than: 0x100000 < 0x2b2e00

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.bc0000.0.unpack :EW;.rsrc:W;.idata :W;xzcmddim:EW;cwrknqot:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x2c1eb2 should be: 0x2bdd84

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: xzcmddim
Source: file.exe	Static PE information: section name: cwrknqot
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D76015 push 6C6E2C9Eh; mov dword ptr [esp], ebp	0_2_00D7607C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D521FB push ecx; mov dword ptr [esp], 7DFD8B1Dh	0_2_00D52214
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D521FB push 4BF6E215h; mov dword ptr [esp], edx	0_2_00D52252
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D521FB push ebx; mov dword ptr [esp], edi	0_2_00D5228E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D521FB push 7A2B6C2Ah; mov dword ptr [esp], edi	0_2_00D52315
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5232F push 394C9D41h; mov dword ptr [esp], edi	0_2_00D52354
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5232F push edx; mov dword ptr [esp], 56D6FD46h	0_2_00D52368
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5232F push esi; mov dword ptr [esp], esp	0_2_00D5239A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCE5BD push edi; mov dword ptr [esp], edx	0_2_00BCE5D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D74526 push ecx; mov dword ptr [esp], 34F7228Eh	0_2_00D74561
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D74526 push 6A1AE1DFh; mov dword ptr [esp], edi	0_2_00D74686
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD0995 push edi; mov dword ptr [esp], edx	0_2_00BD18B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD0995 push ebp; mov dword ptr [esp], ebx	0_2_00BD2184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCEF99 push 43062F43h; mov dword ptr [esp], eax	0_2_00BCF2DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCEF99 push 35528C1Dh; mov dword ptr [esp], ebp	0_2_00BCF2E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D610D0 push 61CD97A9h; mov dword ptr [esp], eax	0_2_00D610FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D610D0 push 231FECA6h; mov dword ptr [esp], edi	0_2_00D61107
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5F0F8 push edx; mov dword ptr [esp], edi	0_2_00D6055D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D500E6 push ebp; mov dword ptr [esp], 0EFC1256h	0_2_00D500E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D500E6 push ebp; mov dword ptr [esp], ecx	0_2_00D500F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D500E6 push 341E6295h; mov dword ptr [esp], eax	0_2_00D502EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D500E6 push edi; mov dword ptr [esp], ebx	0_2_00D50345
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7B0E8 push ecx; ret	0_2_00D7B0F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5F0A7 push edi; mov dword ptr [esp], esi	0_2_00E5F0FC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCE0EB push eax; mov dword ptr [esp], edi	0_2_00BCE115
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCE0EB push eax; mov dword ptr [esp], 00000004h	0_2_00BCE120
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D50088 push eax; mov dword ptr [esp], esi	0_2_00D5008F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BD20E3 push esi; mov dword ptr [esp], 43CCCE08h	0_2_00BD20ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D610B7 push esi; mov dword ptr [esp], 689260E7h	0_2_00D610BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D790B4 push esi; mov dword ptr [esp], ecx	0_2_00D793A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D790B4 push 15BCC67Ch; mov dword ptr [esp], ecx	0_2_00D79867

Source: file.exe

Static PE information: section name: entropy: 7.814422229062923

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCE023 second address: BCE029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D525F8 second address: D52608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jbe 00007F40CD2F7496h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52608 second address: D52620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F40CD1CB52Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52620 second address: D52624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52757 second address: D5276A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F40CD1CB526h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5276A second address: D5276E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5290D second address: D52919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F40CD1CB526h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52919 second address: D5292E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5292E second address: D52973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F40CD1CB52Ah 0x00000008 jmp 00007F40CD1CB52Fh 0x0000000d jmp 00007F40CD1CB534h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jng 00007F40CD1CB526h 0x00000021 jg 00007F40CD1CB526h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52973 second address: D52977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52977 second address: D5297D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5297D second address: D52990 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F40CD2F7496h 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5669C second address: D566AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40CD1CB52Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D566AC second address: D566C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F749Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jl 00007F40CD2F74ADh 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D566C7 second address: D566F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB52Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jng 00007F40CD1CB52Ch 0x00000010 adc ecx, 2CB2BE0Fh 0x00000016 push 00000000h 0x00000018 mov ecx, edx 0x0000001a call 00007F40CD1CB529h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D566F9 second address: D56735 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F40CD2F74A9h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F40CD2F749Bh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56735 second address: D56743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB52Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56743 second address: D56748 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56748 second address: D567B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F40CD1CB532h 0x00000010 pop eax 0x00000011 mov edi, dword ptr [ebp+122D1D67h] 0x00000017 sbb edi, 730511DDh 0x0000001d push 00000003h 0x0000001f add cl, FFFFFFB4h 0x00000022 push 00000000h 0x00000024 jp 00007F40CD1CB529h 0x0000002a push 00000003h 0x0000002c call 00007F40CD1CB534h 0x00000031 js 00007F40CD1CB528h 0x00000037 pop edx 0x00000038 cld 0x00000039 push 956F4FBDh 0x0000003e push eax 0x0000003f push edx 0x00000040 jnp 00007F40CD1CB528h 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D567B1 second address: D56819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 556F4FBDh 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F40CD2F7498h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a sbb cx, 93E0h 0x0000002f call 00007F40CD2F74A0h 0x00000034 movsx ecx, ax 0x00000037 pop esi 0x00000038 lea ebx, dword ptr [ebp+1245C509h] 0x0000003e add edx, 673FDBEEh 0x00000044 xchg eax, ebx 0x00000045 push ecx 0x00000046 push eax 0x00000047 push edx 0x00000048 jno 00007F40CD2F7496h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5689D second address: D568DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB52Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F40CD1CB52Bh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jnc 00007F40CD1CB532h 0x0000001e jc 00007F40CD1CB52Ch 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D568DC second address: D568E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D568E3 second address: D56991 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB52Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jng 00007F40CD1CB534h 0x00000013 pop eax 0x00000014 push 00000003h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F40CD1CB528h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push 00000000h 0x00000032 jng 00007F40CD1CB532h 0x00000038 push ecx 0x00000039 jmp 00007F40CD1CB52Ah 0x0000003e pop ecx 0x0000003f push 00000003h 0x00000041 mov ecx, dword ptr [ebp+122D1D93h] 0x00000047 push F6C8C328h 0x0000004c push edx 0x0000004d jmp 00007F40CD1CB52Dh 0x00000052 pop edx 0x00000053 xor dword ptr [esp], 36C8C328h 0x0000005a lea ebx, dword ptr [ebp+1245C512h] 0x00000060 sub dword ptr [ebp+122D1DEEh], edi 0x00000066 xchg eax, ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 jc 00007F40CD1CB538h 0x0000006f jmp 00007F40CD1CB532h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56991 second address: D5699B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F40CD2F7496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56AB3 second address: D56AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56AB7 second address: D56AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b je 00007F40CD2F74A2h 0x00000011 jg 00007F40CD2F749Ch 0x00000017 mov eax, dword ptr [eax] 0x00000019 jp 00007F40CD2F74A4h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 jng 00007F40CD2F74A0h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56AF8 second address: D56B59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jmp 00007F40CD1CB531h 0x0000000c push 00000003h 0x0000000e mov di, 3AB2h 0x00000012 sub dword ptr [ebp+122D25C8h], ebx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F40CD1CB528h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 jmp 00007F40CD1CB52Ch 0x00000039 push 00000003h 0x0000003b xor dword ptr [ebp+122D25BFh], esi 0x00000041 push BFA5E923h 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56B59 second address: D56BC3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F40CD2F7496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F40CD2F749Eh 0x00000010 pop edx 0x00000011 popad 0x00000012 xor dword ptr [esp], 7FA5E923h 0x00000019 jmp 00007F40CD2F74A5h 0x0000001e lea ebx, dword ptr [ebp+1245C51Dh] 0x00000024 pushad 0x00000025 movzx edx, si 0x00000028 mov ecx, dword ptr [ebp+122D298Bh] 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 jbe 00007F40CD2F74ACh 0x00000037 jmp 00007F40CD2F74A6h 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56BC3 second address: D56BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56BC7 second address: D56BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D743DC second address: D743E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D743E2 second address: D743FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F40CD2F7496h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F40CD2F7496h 0x00000014 js 00007F40CD2F7496h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74531 second address: D74535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D746B2 second address: D746BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D746BA second address: D746DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F40CD1CB52Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D746DD second address: D746ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F40CD2F74AEh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D746ED second address: D746F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D746F3 second address: D746F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D749C6 second address: D749CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D749CC second address: D749D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74CCB second address: D74CD1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74CD1 second address: D74CDE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F40CD2F7498h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74E12 second address: D74E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74F73 second address: D74F83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F749Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74F83 second address: D74FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F40CD1CB52Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F40CD1CB530h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74FAB second address: D74FCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F40CD2F74A4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74FCC second address: D74FF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB530h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F40CD1CB536h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F40CD1CB52Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D74FF8 second address: D75025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F40CD2F74A8h 0x0000000a jng 00007F40CD2F7496h 0x00000010 popad 0x00000011 pushad 0x00000012 jnp 00007F40CD2F7496h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7567D second address: D75682 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6D57A second address: D6D584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F40CD2F7496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6D584 second address: D6D5A3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F40CD1CB526h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F40CD1CB52Fh 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6D5A3 second address: D6D5C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A6h 0x00000007 jno 00007F40CD2F7496h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6D5C3 second address: D6D5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40CD1CB532h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4A861 second address: D4A873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F40CD2F749Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4A873 second address: D4A887 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F40CD1CB52Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4A887 second address: D4A88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4A88D second address: D4A8B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jnc 00007F40CD1CB526h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75DBF second address: D75DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76176 second address: D76180 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40CD1CB526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76180 second address: D7618A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76487 second address: D764A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007F40CD1CB537h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F40CD1CB52Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D40698 second address: D406AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40CD2F749Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7C926 second address: D7C93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jl 00007F40CD1CB538h 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F40CD1CB526h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7C93A second address: D7C94D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F40CD2F7496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7C94D second address: D7C958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40CD1CB526h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7C958 second address: D7C97C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7C97C second address: D7C986 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F40CD1CB526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7AEDA second address: D7AEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7AEDE second address: D7AEE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7B7A1 second address: D7B7A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7B7A5 second address: D7B7AA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7CAAC second address: D7CAB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7CAB2 second address: D7CAB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7CAB7 second address: D7CADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F74A1h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007F40CD2F7498h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7CADD second address: D7CB0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB52Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F40CD1CB52Ch 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007F40CD1CB52Ch 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D80F14 second address: D80F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D80F1A second address: D80F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D80F1E second address: D80F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F74A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D80F3D second address: D80F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84897 second address: D8489F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8489F second address: D848A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84A1D second address: D84A28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F40CD2F7496h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84A28 second address: D84A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84A30 second address: D84A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F40CD2F7496h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F40CD2F74B0h 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F40CD2F74A8h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84A5F second address: D84A7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB535h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84A7A second address: D84A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84BAC second address: D84BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84D15 second address: D84D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D84D19 second address: D84D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F40CD1CB537h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86366 second address: D86389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a jmp 00007F40CD2F74A7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8643E second address: D86473 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F40CD1CB52Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F40CD1CB532h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F40CD1CB52Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86473 second address: D86478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86478 second address: D8647E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8647E second address: D8648C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87060 second address: D87079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], ebx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F40CD1CB52Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87079 second address: D8707E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D870FB second address: D87101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87353 second address: D87357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87357 second address: D8735B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8735B second address: D87372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F40CD2F749Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D874C6 second address: D874CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87AF6 second address: D87AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87AFB second address: D87B13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F40CD1CB526h 0x00000009 jg 00007F40CD1CB526h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87BB3 second address: D87BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87BB9 second address: D87BEF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F40CD1CB526h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007F40CD1CB535h 0x00000014 jmp 00007F40CD1CB52Fh 0x00000019 pushad 0x0000001a jmp 00007F40CD1CB530h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88599 second address: D8859D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D88443 second address: D8845C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40CD1CB535h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8845C second address: D88460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D89ED3 second address: D89ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AAD0 second address: D8AB5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F40CD2F7496h 0x00000009 jmp 00007F40CD2F74A8h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push esi 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jc 00007F40CD2F7496h 0x0000001c popad 0x0000001d pop esi 0x0000001e nop 0x0000001f mov esi, 4E072DFFh 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F40CD2F7498h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Ch 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 push 00000000h 0x00000042 clc 0x00000043 push eax 0x00000044 pushad 0x00000045 jmp 00007F40CD2F74A3h 0x0000004a pushad 0x0000004b jmp 00007F40CD2F74A4h 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8B5C7 second address: D8B5E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8B5E2 second address: D8B5EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F40CD2F7496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8B5EC second address: D8B5F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8C120 second address: D8C137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F40CD2F749Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8BEB4 second address: D8BEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8CB93 second address: D8CB9D instructions: 0x00000000 rdtsc 0x00000002 js 00007F40CD2F749Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8CB9D second address: D8CBD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F40CD1CB528h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 pushad 0x00000027 jng 00007F40CD1CB52Ch 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90168 second address: D9017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F40CD2F749Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9017B second address: D901B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F40CD1CB526h 0x00000008 jmp 00007F40CD1CB539h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F40CD1CB530h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D901B7 second address: D901BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D901BC second address: D901C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D901C4 second address: D901C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9326D second address: D93272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95DE3 second address: D95DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95DE8 second address: D95E28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sub dword ptr [ebp+12461A7Bh], edx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F40CD1CB528h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov edi, ecx 0x0000002d push 00000000h 0x0000002f clc 0x00000030 xchg eax, esi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95E28 second address: D95E2E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95E2E second address: D95E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F40CD1CB526h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95E42 second address: D95E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95E46 second address: D95E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95020 second address: D95027 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96EDC second address: D96F22 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40CD1CB52Ch 0x00000008 je 00007F40CD1CB526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 call 00007F40CD1CB52Fh 0x00000018 mov edi, dword ptr [ebp+122D29B7h] 0x0000001e pop edi 0x0000001f push 00000000h 0x00000021 jmp 00007F40CD1CB52Ch 0x00000026 push 00000000h 0x00000028 mov edi, edx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jo 00007F40CD1CB526h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96F22 second address: D96F3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96036 second address: D9604C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD1CB531h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D97E12 second address: D97E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F40CD2F7496h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D97E1D second address: D97E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D97E23 second address: D97E3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F749Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D97E3F second address: D97E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F40CD1CB526h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D97EDD second address: D97F00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e ja 00007F40CD2F7496h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D970DF second address: D970E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F40CD1CB526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D98D72 second address: D98DCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F749Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add bx, 643Ch 0x0000000f xor bx, DEA1h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F40CD2F7498h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 jmp 00007F40CD2F749Ch 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 push ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b jo 00007F40CD2F7496h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D98DCC second address: D98DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AE79 second address: D9AE7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AE7D second address: D9AE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007F40CD1CB52Eh 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D99F3C second address: D99F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9BFAB second address: D9BFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B0D2 second address: D9B0E0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F40CD2F7496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C13F second address: D9C143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0172 second address: DA0176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA21D2 second address: DA21EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F40CD1CB52Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3EAEA second address: D3EAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3834 second address: DA3838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3838 second address: DA383E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3E7F second address: DA3E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3E83 second address: DA3E87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3E87 second address: DA3E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3E8D second address: DA3EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F40CD2F7496h 0x00000009 jno 00007F40CD2F7496h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3EA5 second address: DA3EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA3EAA second address: DA3EB4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F40CD2F749Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5D80 second address: DA5E28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F40CD1CB528h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F40CD1CB528h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 mov bx, si 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push ebp 0x0000004a call 00007F40CD1CB528h 0x0000004f pop ebp 0x00000050 mov dword ptr [esp+04h], ebp 0x00000054 add dword ptr [esp+04h], 0000001Ah 0x0000005c inc ebp 0x0000005d push ebp 0x0000005e ret 0x0000005f pop ebp 0x00000060 ret 0x00000061 jmp 00007F40CD1CB538h 0x00000066 xchg eax, esi 0x00000067 push eax 0x00000068 push edx 0x00000069 push edx 0x0000006a js 00007F40CD1CB526h 0x00000070 pop edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA400A second address: DA409D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007F40CD2F7496h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e jnc 00007F40CD2F7498h 0x00000014 pop esi 0x00000015 nop 0x00000016 sub dword ptr [ebp+122D371Bh], edi 0x0000001c push dword ptr fs:[00000000h] 0x00000023 jnc 00007F40CD2F74B0h 0x00000029 call 00007F40CD2F74A9h 0x0000002e pop edi 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 call 00007F40CD2F74A0h 0x0000003b and di, 2DAEh 0x00000040 pop ebx 0x00000041 mov eax, dword ptr [ebp+122D032Dh] 0x00000047 stc 0x00000048 mov ebx, dword ptr [ebp+122D2AE7h] 0x0000004e push FFFFFFFFh 0x00000050 pushad 0x00000051 mov cx, E453h 0x00000055 popad 0x00000056 nop 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F40CD2F74A8h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4FA7 second address: DA4FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4FAB second address: DA4FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4FAF second address: DA4FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F40CD1CB526h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA6E5C second address: DA6E6A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F40CD2F7496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA6E6A second address: DA6E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7A85 second address: DB7A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D457BC second address: D457DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD1CB52Ah 0x00000009 jmp 00007F40CD1CB533h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D457DE second address: D457E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D457E6 second address: D457EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D457EA second address: D457FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F40CD2F7496h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB71AE second address: DB71D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F40CD1CB533h 0x0000000c push ebx 0x0000000d jmp 00007F40CD1CB52Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB71D6 second address: DB71DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7337 second address: DB7355 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F40CD1CB534h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC4C9 second address: DBC4FF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F40CD2F749Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F40CD2F74A5h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007F40CD2F7496h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC4FF second address: DBC503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC503 second address: DBC512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F40CD2F7496h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBC512 second address: DBC51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC3485 second address: DC34CC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F40CD2F7498h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F40CD2F74A4h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jne 00007F40CD2F74A3h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 je 00007F40CD2F74A4h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC34CC second address: DC34D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC8204 second address: DC8223 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F40CD2F749Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 jc 00007F40CD2F7496h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6E8A second address: DC6E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F40CD1CB526h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6E96 second address: DC6E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6E9A second address: DC6EAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB52Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7549 second address: DC754D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7702 second address: DC7708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7708 second address: DC7735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 jl 00007F40CD2F749Ah 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F40CD2F74A5h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7735 second address: DC774F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD1CB531h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC774F second address: DC7759 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40CD2F7496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7F6A second address: DC7F80 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F40CD1CB526h 0x00000008 jne 00007F40CD1CB526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7F80 second address: DC7F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7F86 second address: DC7F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCDA51 second address: DCDA55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCDA55 second address: DCDA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD1CB52Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F40CD1CB526h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCDA71 second address: DCDA7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F749Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCDA7F second address: DCDA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3CF9F second address: D3CFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCC761 second address: DCC766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCCE82 second address: DCCE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F40CD2F74A2h 0x0000000a ja 00007F40CD2F7496h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCCE94 second address: DCCEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F40CD1CB52Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD115 second address: DCD134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40CD2F74A4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD134 second address: DCD138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD138 second address: DCD13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD13E second address: DCD144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD144 second address: DCD149 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD87E second address: DCD884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD884 second address: DCD898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F749Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD898 second address: DCD89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD1A25 second address: DD1A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D909A9 second address: D909B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F40CD1CB526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D909B3 second address: D90A01 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F40CD2F7498h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 lea eax, dword ptr [ebp+124966F3h] 0x0000002b mov dword ptr [ebp+122D30E2h], edx 0x00000031 nop 0x00000032 pushad 0x00000033 jc 00007F40CD2F749Ch 0x00000039 ja 00007F40CD2F7496h 0x0000003f pushad 0x00000040 jne 00007F40CD2F7496h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90A01 second address: D90A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jc 00007F40CD1CB534h 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F40CD1CB526h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90A16 second address: D6D57A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 xor di, A9A6h 0x0000000c call dword ptr [ebp+124595EDh] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90E42 second address: D90E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90F95 second address: D90FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F74A9h 0x00000009 popad 0x0000000a jmp 00007F40CD2F74A9h 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F40CD2F7496h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90FD7 second address: D90FF3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F40CD1CB52Ah 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D90FF3 second address: D9100C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9100C second address: D91010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91010 second address: D91071 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40CD2F7496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jnl 00007F40CD2F74ABh 0x00000015 jmp 00007F40CD2F74A5h 0x0000001a pop eax 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F40CD2F7498h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov cx, 0248h 0x00000039 call 00007F40CD2F7499h 0x0000003e push ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91071 second address: D91075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D911F1 second address: D91262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F40CD2F7496h 0x00000009 jns 00007F40CD2F7496h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jno 00007F40CD2F74B7h 0x00000019 xchg eax, esi 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F40CD2F7498h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F40CD2F749Fh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91262 second address: D91267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91267 second address: D9126D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9126D second address: D9127D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5DF4 second address: DD5DFE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F40CD2F7496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5F73 second address: DD5F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5F7C second address: DD5F85 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD60F4 second address: DD6112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F40CD1CB526h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F40CD1CB52Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6112 second address: DD614E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F40CD2F7496h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F40CD2F74A9h 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007F40CD2F74A2h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD65AF second address: DD65BD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F40CD1CB526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD65BD second address: DD65C7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F40CD2F7496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD65C7 second address: DD65D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jl 00007F40CD1CB526h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD65D7 second address: DD65F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDB0ED second address: DDB10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F40CD1CB52Ch 0x0000000a push eax 0x0000000b pop eax 0x0000000c js 00007F40CD1CB526h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDB10B second address: DDB10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDB10F second address: DDB113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC00B second address: DDC011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B45F second address: D3B480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F40CD1CB530h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B480 second address: D3B486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3B486 second address: D3B48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE1741 second address: DE1745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE1745 second address: DE174B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE44B8 second address: DE44E1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F40CD2F74ADh 0x0000000c jmp 00007F40CD2F74A7h 0x00000011 pop esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE44E1 second address: DE44E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE44E5 second address: DE4509 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F40CD2F749Eh 0x0000000c push edx 0x0000000d pop edx 0x0000000e jg 00007F40CD2F7496h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F40CD2F749Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE4509 second address: DE4519 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F40CD1CB526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE4519 second address: DE451F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE881C second address: DE8836 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F40CD1CB52Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8836 second address: DE883C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE883C second address: DE8842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8842 second address: DE8854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F40CD2F749Ah 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE813C second address: DE8140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8140 second address: DE8153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F40CD2F749Eh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8153 second address: DE8157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8157 second address: DE8167 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F40CD2F74A2h 0x00000008 jo 00007F40CD2F7496h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE8167 second address: DE816E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE82B3 second address: DE82CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F40CD2F74A2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE82CC second address: DE82E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB536h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE82E6 second address: DE82F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jp 00007F40CD2F7496h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE82F8 second address: DE82FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECDDA second address: DECDF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F40CD2F74A2h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECDF8 second address: DECE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD1CB537h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECE15 second address: DECE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECE1A second address: DECE26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F40CD1CB526h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECF68 second address: DECF72 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F40CD2F7496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECF72 second address: DECF7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED271 second address: DED277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED277 second address: DED284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F40CD1CB526h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91774 second address: D91778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91778 second address: D9178F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F40CD1CB52Ch 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9178F second address: D91795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91795 second address: D91799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91799 second address: D9181C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40CD2F7496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007F40CD2F749Eh 0x00000012 clc 0x00000013 pop edx 0x00000014 mov ebx, dword ptr [ebp+12496732h] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F40CD2F7498h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 xor edi, dword ptr [ebp+1246D5CDh] 0x0000003a add eax, ebx 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F40CD2F7498h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 nop 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F40CD2F749Eh 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9181C second address: D91821 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91821 second address: D91832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F40CD2F7496h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91832 second address: D9185F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 jmp 00007F40CD1CB539h 0x0000000d push 00000004h 0x0000000f nop 0x00000010 push ebx 0x00000011 jc 00007F40CD1CB52Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9185F second address: D9186A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED3ED second address: DED3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED3F3 second address: DED3FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEDFE7 second address: DEE004 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40CD1CB52Eh 0x00000008 push edi 0x00000009 jmp 00007F40CD1CB52Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF140A second address: DF1432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F40CD2F7498h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F40CD2F74A1h 0x00000011 popad 0x00000012 pushad 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 push eax 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF1432 second address: DF143A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF143A second address: DF146F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F74A2h 0x00000009 jnl 00007F40CD2F7496h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F40CD2F74A4h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF172E second address: DF175B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F40CD1CB532h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F40CD1CB52Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF175B second address: DF1765 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40CD2F7496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF1896 second address: DF189C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF189C second address: DF18A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F40CD2F7496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF18A6 second address: DF18C2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F40CD1CB532h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF18C2 second address: DF18CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F40CD2F7496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF18CC second address: DF18E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F40CD1CB531h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF18E7 second address: DF18ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF18ED second address: DF18F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF18F3 second address: DF18F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF1A26 second address: DF1A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F40CD1CB526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF1A30 second address: DF1A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40CD2F74A1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF1A5D second address: DF1A63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF1A63 second address: DF1A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40CD2F74A9h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF1A82 second address: DF1A8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF8E99 second address: DF8E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF8E9F second address: DF8EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF903C second address: DF9053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 jg 00007F40CD2F749Ah 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9053 second address: DF9057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9057 second address: DF908A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F74A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F40CD2F74A9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF908A second address: DF9097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F40CD1CB52Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9097 second address: DF909E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF909E second address: DF90AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F40CD1CB526h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF94B1 second address: DF94BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF94BA second address: DF94C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF94C0 second address: DF94C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF94C4 second address: DF94D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F40CD1CB526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9A4D second address: DF9A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9A53 second address: DF9A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9A5D second address: DF9A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F40CD2F749Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9A77 second address: DF9A89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F40CD1CB526h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9A89 second address: DF9A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF9A8D second address: DF9A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFAC3B second address: DFAC40 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFAC40 second address: DFAC4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFEEAE second address: DFEEB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDF46 second address: DFDF6D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F40CD1CB526h 0x00000008 jg 00007F40CD1CB526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jmp 00007F40CD1CB534h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDF6D second address: DFDF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jnp 00007F40CD2F7496h 0x0000000c jmp 00007F40CD2F74A1h 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDF90 second address: DFDFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F40CD1CB526h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F40CD1CB534h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFE2AD second address: DFE2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F40CD2F7496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFE580 second address: DFE586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFE586 second address: DFE59C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F74A0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFE710 second address: DFE72A instructions: 0x00000000 rdtsc 0x00000002 js 00007F40CD1CB526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F40CD1CB526h 0x00000014 jne 00007F40CD1CB526h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFE876 second address: DFE880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F40CD2F7496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFEA33 second address: DFEA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFEA39 second address: DFEA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007F40CD2F7496h 0x0000000c jno 00007F40CD2F7496h 0x00000012 jo 00007F40CD2F7496h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFEA53 second address: DFEA58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFEA58 second address: DFEA5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E036FD second address: E03729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F40CD1CB526h 0x0000000a popad 0x0000000b jmp 00007F40CD1CB532h 0x00000010 pushad 0x00000011 jp 00007F40CD1CB526h 0x00000017 jnp 00007F40CD1CB526h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0BCCB second address: E0BCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F749Dh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0BCE1 second address: E0BCE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4DD6B second address: D4DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4DD73 second address: D4DD9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD1CB530h 0x00000009 jmp 00007F40CD1CB52Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E09FD9 second address: E09FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E09FE1 second address: E09FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F40CD1CB526h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A45F second address: E0A497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F40CD2F749Eh 0x0000000f pop edi 0x00000010 pushad 0x00000011 jmp 00007F40CD2F74A8h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A5B0 second address: E0A5B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A5B6 second address: E0A5BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A5BC second address: E0A5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F40CD1CB536h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0A5DB second address: E0A616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40CD2F74A6h 0x00000009 pop ebx 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F40CD2F749Fh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007F40CD2F7496h 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0AA04 second address: E0AA08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E09A72 second address: E09A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E09A77 second address: E09A7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E12666 second address: E1266C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D820 second address: E1D837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD1CB533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D288 second address: E1D28E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D28E second address: E1D29E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40CD1CB532h 0x00000008 jg 00007F40CD1CB526h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D29E second address: E1D2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F40CD2F74B1h 0x0000000d jno 00007F40CD2F7496h 0x00000013 jmp 00007F40CD2F74A5h 0x00000018 jns 00007F40CD2F749Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D2DA second address: E1D2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D45D second address: E1D461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E23778 second address: E2378A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F40CD1CB526h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E252A4 second address: E252AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F40CD2F7496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3F8D2 second address: E3F8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E668 second address: E3E670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E670 second address: E3E674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E674 second address: E3E6AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40CD2F749Dh 0x00000010 jmp 00007F40CD2F749Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3E6AB second address: E3E6AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3EC17 second address: E3EC37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A6h 0x00000007 jbe 00007F40CD2F7496h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E41165 second address: E41171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5918A second address: E5918E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5918E second address: E59194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E58FD1 second address: E59005 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F749Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F40CD2F7496h 0x00000013 jmp 00007F40CD2F74A8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E59005 second address: E5900F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F40CD1CB526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5900F second address: E59015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D472D6 second address: D472FE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F40CD1CB52Ah 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F40CD1CB52Bh 0x00000015 jnc 00007F40CD1CB526h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D472FE second address: D47338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F40CD2F749Ah 0x0000000b jmp 00007F40CD2F749Ah 0x00000010 jmp 00007F40CD2F74A3h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jg 00007F40CD2F7496h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47338 second address: D4733C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EFEE second address: E5EFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EFF3 second address: E5F00D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F40CD1CB533h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EEB0 second address: E5EEC8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40CD2F7496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F40CD2F7496h 0x00000012 jnl 00007F40CD2F7496h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EEC8 second address: E5EECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6075A second address: E6075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6075F second address: E6078C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F40CD1CB537h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jo 00007F40CD1CB532h 0x00000013 js 00007F40CD1CB526h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E65B6A second address: E65B7A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007F40CD2F7496h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E65B7A second address: E65B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E65B7E second address: E65B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E66160 second address: E6618F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40CD1CB526h 0x00000008 jmp 00007F40CD1CB52Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007F40CD1CB539h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6618F second address: E661B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40CD2F74A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F40CD2F7496h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E661B0 second address: E661B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E66450 second address: E66480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F40CD2F74A7h 0x0000000b popad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007F40CD2F7496h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E66480 second address: E66484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E66484 second address: E66488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E69AC5 second address: E69AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 jnl 00007F40CD1CB52Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E694EE second address: E694F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6EAE8 second address: E6EAF8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F40CD1CB526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6EBAE second address: E6EBB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6EBB2 second address: E6EBB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E73CF3 second address: E73CFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6969F second address: E696B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F40CD1CB52Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D890EB second address: D890F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D894CE second address: D894FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F40CD1CB526h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F40CD1CB537h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BCD903 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BCB0EE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BCD944 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E14999 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 5020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 53A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 51B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5232F rdtsc

0_2_00D5232F

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6620

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00DB944E GetSystemInfo,VirtualAlloc,

0_2_00DB944E

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5232F rdtsc

0_2_00D5232F

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: file.exe, 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\Desktop\file.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\Desktop\file.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	41 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Bypass User Account Control	261 Virtualization/Sandbox Evasion	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Bypass User Account Control	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562725
Start date and time:	2024-11-25 23:33:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com
Report size getting too big, too many NtProtectVirtualMemory calls found.
VT rate limit hit for: file.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.431326791464521
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'854'400 bytes
MD5:	d821ac834f35b06fb131da343b7e6c9c
SHA1:	d473013e11fd925375dafa82db9f3964f1280900
SHA256:	e9e4689b18e965bb2559fb88fc7c2b22e59e672bf26d40355dab04117f2df18e
SHA512:	1de630ff3cfbab998c95c624978e47f72c0f38452321b640e6120025f86351169a4e86255c94e4caab8b3b47e8c0af95edffd850736ed78f6c644c3b0eb85fb9
SSDEEP:	49152:8/Fz17+uoECXIB7wSouuet2vZc8SpVvDhgU26Q:8/F57+tXIjbtDVvDhg7
TLSH:	2BD52B92B509F1CFD88E2778A867CD869B5D03A5471048C3A85CB8FABDE3DC511F9D28
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............,.. ...`....@.. .......................@,.......,...`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x6c0000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:	0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F40CCEC3A6Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x81f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x4000	0x1200	288996c6a32764fd3dbc5331701d0c15	False	0.9338107638888888	DOS executable (COM, 0x8C-variant)	7.814422229062923	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6000	0x59c	0x600	aae15e30898a02f09cc86ed48aa06b09	False	0.4140625	data	4.036947054771808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0x2000	0x200	ec9cb51e8cb4ea49a56ee3cf434fb69e	False	0.1484375	data	0.9342685949460681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xzcmddim	0xa000	0x2b4000	0x2b2e00	2c6380da8c02298a86e1420a5af17944	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cwrknqot	0x2be000	0x2000	0x400	55a21d3354bcca2040b2f20e8acc05c6	False	0.7451171875	data	5.971349447911546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x2c0000	0x4000	0x2200	2bd788071153ef2528dec7d339ad2b74	False	0.06169577205882353	DOS executable (COM)	0.7038804893029154	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.42948717948717946
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
kernel32.dll	lstrcpy

Target ID:	0
Start time:	17:33:58
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xbc0000
File size:	2'854'400 bytes
MD5 hash:	D821AC834F35B06FB131DA343B7E6C9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	7.8%
Signature Coverage:	12.2%
Total number of Nodes:	115
Total number of Limit Nodes:	15

Executed Functions

Function 00DB944E Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,-11705FEC), ref: 00DB945A
VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00DB94BB

Memory Dump Source

Source File: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: AllocInfoSystemVirtual
String ID:
API String ID: 3440192736-0
Opcode ID: 5f90bf9a068790c3bc6432049d0a7fcba6a632cebbdd803b2c2880b6c106c18b
Instruction ID: 9ba7915bda794764ed045c0bf7976a319534a48e67b78b0bf686ceb448b93b7e
Opcode Fuzzy Hash: 5f90bf9a068790c3bc6432049d0a7fcba6a632cebbdd803b2c2880b6c106c18b
Instruction Fuzzy Hash: D7411171A40246AFE739CF61C855FD6B7ACFF84741F4000A2F603C9882EBB095D48BA4

Function 00D5232F Relevance: 1.6, APIs: 1, Instructions: 112
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00D5232F

Memory Dump Source

Source File: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 06ecfc415f96a2d152f9c6826951f63a2f3deecd193ab88d06113e760d9fb816
Instruction ID: 67d77dc031b94802d824bb03d4ffa29f40d161390af5a9e11aa1edf5d076a00f
Opcode Fuzzy Hash: 06ecfc415f96a2d152f9c6826951f63a2f3deecd193ab88d06113e760d9fb816
Instruction Fuzzy Hash: 7F3143F250C210BFE7016E05EC81BBEFBE9EF84764F16492EEAC482610D77548549BA7

Function 00D614B7 Relevance: 4.6, APIs: 3, Instructions: 69
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00D614F5
RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00D6151C
GetNativeSystemInfo.KERNELBASE(?), ref: 00D61573

Memory Dump Source

Source File: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: Open$InfoNativeSystem
String ID:
API String ID: 1247124224-0
Opcode ID: a4f8adf11e815a5490ed9139929ad295063be0fd8849c0d37bed423a5106a6e7
Instruction ID: 94b836cfbda04594e253bbf23a78dfe5c008e13bc3d6172e383a9b2213315ac6
Opcode Fuzzy Hash: a4f8adf11e815a5490ed9139929ad295063be0fd8849c0d37bed423a5106a6e7
Instruction Fuzzy Hash: 2731097540420EDFEF21DF60C848BEF3BB9EF05311F140826ED0286951D7768DA88B69

Function 00DB9E7A Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00DB9E96

Memory Dump Source

Source File: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a27e532fee1708026d28324cbd0fe9f11cba94653e59f772696d7490ab0c67b8
Instruction ID: 5feeb1f7a25fcb9ee4bc837f2a915b2dfcc986c7037d94bcc8463e3cbf57c620
Opcode Fuzzy Hash: a27e532fee1708026d28324cbd0fe9f11cba94653e59f772696d7490ab0c67b8
Instruction Fuzzy Hash: B141587190025AEFDB35DF28C854BE9B7A5FF04324F188059EA43AA591C371ED90DBA1

Function 00BCE5BD Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00BCF3EF

Strings

sv, xrefs: 00BCE5C5

Memory Dump Source

Source File: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID: sv
API String ID: 4275171209-432873054
Opcode ID: b131734c29441bbe8d6b400707ae435041ee09c14ca3dbe2cd7dfd0e4fcb7431
Instruction ID: 24181394ae88ab3121b4faf6f5a581d91821f9a0f4875f5a6c83d6e176f87ca7
Opcode Fuzzy Hash: b131734c29441bbe8d6b400707ae435041ee09c14ca3dbe2cd7dfd0e4fcb7431
Instruction Fuzzy Hash: 19012B7711C010CFE7085F398D595BE7BD6EFD0320F26872DD8935BA44D6305C059692

Function 00DB9BC7 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 00DB9C74

Memory Dump Source

Source File: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 9fb5a3e9dcd61d7c6227168d6461e49f6d873cd51926c761e6777bea851030c7
Instruction ID: 4ed2cd9bb0ef56746f6bea28a8d68058e67cef78e381628ff64c446dec06de7a
Opcode Fuzzy Hash: 9fb5a3e9dcd61d7c6227168d6461e49f6d873cd51926c761e6777bea851030c7
Instruction Fuzzy Hash: 8E11B671E01669DFEB309A14CC68BEAFBFCEF44710F184095EA47A6045D771DD808AB5

Function 05020D41 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05020DCD

Memory Dump Source

Source File: 00000000.00000002.2217589009.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 607188bde284a20c4e89e9c63d0402a563f24c2761e8ae09a2ace85665e85039
Instruction ID: 36536a1e5dc08a1d43864c88b9848d31f48f5a4bf46a3c149250da58915b2d59
Opcode Fuzzy Hash: 607188bde284a20c4e89e9c63d0402a563f24c2761e8ae09a2ace85665e85039
Instruction Fuzzy Hash: 592147B6C013189FCB50DF99E884ADEFBF0FF88310F14812AD809AB244D774A541CBA4

Function 05020D48 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05020DCD

Memory Dump Source

Source File: 00000000.00000002.2217589009.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_file.jbxd

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: e8bcaf5fa0d8a2f4f15c105282897200759ef630db4e91421fef0691afe6ccc8
Instruction ID: 32488f56e3aa69214c0a149383714a4af7c34999641a7dd39ec5e1a99f2397f4
Opcode Fuzzy Hash: e8bcaf5fa0d8a2f4f15c105282897200759ef630db4e91421fef0691afe6ccc8
Instruction Fuzzy Hash: 782124B6C016189FCB50CF99E888ADEFBF4FF88310F14811AE909AB204D774A540CBA4

Function 05021509 Relevance: 1.6, APIs: 1, Instructions: 56
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 05021580

Memory Dump Source

Source File: 00000000.00000002.2217589009.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 661473716d3657c3ef238f3401dc5dfb71ff496f946cea3799a83ff156f997ad
Instruction ID: 006a6b8348c988692cfbe292b0cec483c0617bc571f87529a3538009a244789a
Opcode Fuzzy Hash: 661473716d3657c3ef238f3401dc5dfb71ff496f946cea3799a83ff156f997ad
Instruction Fuzzy Hash: 3C21F2B1D002599FCB10CF9AD484ADEBBF4EB48320F10842AE959A7250D378AA45CFA5

Function 05021510 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ControlService.ADVAPI32(?,?,?), ref: 05021580

Memory Dump Source

Source File: 00000000.00000002.2217589009.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_file.jbxd

Similarity

API ID: ControlService
String ID:
API String ID: 253159669-0
Opcode ID: 2f4d2ae8f6272c1a116e56682589f6c7fe83383a93d6496db2e888e8a4032f6b
Instruction ID: 1de41d492e14a1242365285f64492288c02af992fa6ff6b98bc2522140ae1854
Opcode Fuzzy Hash: 2f4d2ae8f6272c1a116e56682589f6c7fe83383a93d6496db2e888e8a4032f6b
Instruction Fuzzy Hash: 5F11D3B1D00259DFDB10CF9AD584ADEFBF4FB48320F10802AE959A3250D378AA44CFA5

Function 00DB2972 Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?), ref: 00DB29F9

Memory Dump Source

Source File: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: a83fab1e773765c7dad2a59a5c80731516cbfdd1356f3d8e4850b3aefd0c78d4
Instruction ID: d6eeadaf5c86e53643c9870237ebec21c45c17f7a51bc131ee96ad2123f7b8e4
Opcode Fuzzy Hash: a83fab1e773765c7dad2a59a5c80731516cbfdd1356f3d8e4850b3aefd0c78d4
Instruction Fuzzy Hash: 7611903350020AEECF22AFA4DC0ADEE7B66FF4A351B044521B91665421C736C572EBB1

Function 00DB275A Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ed5706d0ac7974ce9de81e4fdd9eef1f0bd77d3cd15ddaa9d58a7cb53bf409
Instruction ID: aa776561cca978a66a450aa936351b76ab2b21e2db9dc306e4300ca2ed17bcf5
Opcode Fuzzy Hash: 44ed5706d0ac7974ce9de81e4fdd9eef1f0bd77d3cd15ddaa9d58a7cb53bf409
Instruction Fuzzy Hash: A411393650020AEFCF52AFA8C949EEE3BA6EF45344F148024F91656061CB35C965EB70

Function 05021301 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 05021367

Memory Dump Source

Source File: 00000000.00000002.2217589009.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: 4994c54c0aec92ce2795c918e0ebae93bed51594347b6990b30f62fcbe71d462
Instruction ID: 6d8ae0ee9b74913637ee7da20a5c25af7c3ffd96aea3c3c08e0e933c1d60ebfd
Opcode Fuzzy Hash: 4994c54c0aec92ce2795c918e0ebae93bed51594347b6990b30f62fcbe71d462
Instruction Fuzzy Hash: 441125B1800259CFDB10DF9AD584BEEFBF8EF49320F24846AD519A3250C778A645CFA5

Function 05021308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.KERNELBASE ref: 05021367

Memory Dump Source

Source File: 00000000.00000002.2217589009.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5020000_file.jbxd

Similarity

API ID: ImpersonateLoggedUser
String ID:
API String ID: 2216092060-0
Opcode ID: eef9b713199bd52e191b5ef3bb15d5d908d33747ffe6602b1ca8eb18c7a3e253
Instruction ID: fb9a27dbedb19e3e13cd1e96665a120cb5d6ebc60c3db9583e101a8a283fa3a7
Opcode Fuzzy Hash: eef9b713199bd52e191b5ef3bb15d5d908d33747ffe6602b1ca8eb18c7a3e253
Instruction Fuzzy Hash: A11125B18002498FDB10CF9AD444BDEFBF8EB48320F10842AD518A3250C778A544CBA5

Function 00DB203E Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,?), ref: 00DB20AA

Memory Dump Source

Source File: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 638c232465eed02b522730883f829ca27d298ae83a52f0da9628d3956ce50639
Instruction ID: 5a7a6b38c8645243730340e36d0919c5133424d31e0ff4069d164831b9d32371
Opcode Fuzzy Hash: 638c232465eed02b522730883f829ca27d298ae83a52f0da9628d3956ce50639
Instruction Fuzzy Hash: D3F0C43360010AEFCF22AFA8DD09DAE3B66FF8A390B044521F91649021C732C4A1EB71

Function 00D74526 Relevance: 1.4, APIs: 1, Instructions: 117sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00D74526

Memory Dump Source

Source File: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 48cededbd7ea5c16f9318d81b439b0a59c5168d8294ac71156a844aa6257d9bd
Instruction ID: 06b82ca8a2ee0941ed4f6fba6dfcafc17e915de98284877d1dc436447f98456f
Opcode Fuzzy Hash: 48cededbd7ea5c16f9318d81b439b0a59c5168d8294ac71156a844aa6257d9bd
Instruction Fuzzy Hash: EF317FB250C600AFD301AE29D8446BEFBE5EFD8320F264D2DE6D583650E7348980CB57

Function 00D76015 Relevance: 1.3, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00D76015

Memory Dump Source

Source File: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d5c2f500ee5a6aa1eb64dff126bfed9813c433f021949be0883e4beb0b4276f0
Instruction ID: 40e14713d2c2ee8d7b8bbe059206f35a5ab30b6e9bba850893195b7bd07f60c8
Opcode Fuzzy Hash: d5c2f500ee5a6aa1eb64dff126bfed9813c433f021949be0883e4beb0b4276f0
Instruction Fuzzy Hash: B63191B250C7049FE7126E19EC8167AFBE9EF98754F16482DEAC483700E63598148B97

Function 00D7CCD8 Relevance: 1.3, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956fc3decc5d74206c06933c12f9b90b2779e0eeb222af14f776954f308d9dad
Instruction ID: 08c91e926b026302daff4fc1153a42a74cc7d1ce44ad07f177823b63cb035303
Opcode Fuzzy Hash: 956fc3decc5d74206c06933c12f9b90b2779e0eeb222af14f776954f308d9dad
Instruction Fuzzy Hash: D8F0F6621782E29FC7331B74855636D7F009B25320F24F5ADF88E1B883F35694159736

Function 00DB97F1 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00DB97ED,?,?,00DB94F3,?,?,00DB94F3,?,?,00DB94F3), ref: 00DB9811

Memory Dump Source

Source File: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ad00faea6f0ee0bd440fa1b88b1d82f5222551b8abb8c4490230bb97be261139
Instruction ID: 2febf1ffa334ced0aca1a4dc1e0ca5c9a4fe484ac0dcbcdbb994d83209d7930d
Opcode Fuzzy Hash: ad00faea6f0ee0bd440fa1b88b1d82f5222551b8abb8c4490230bb97be261139
Instruction Fuzzy Hash: 5CF0A4B5A00206EFD7318F14CD05B99BBB8FF8A761F148468F54A9B591E7B198C0CBA0

Function 00BCEF99 Relevance: 1.3, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 00BCF298

Memory Dump Source

Source File: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1883d9048ee7a87a059234e5c9f6348facd56a424e681cbfa858850c5c085e01
Instruction ID: 1c99a5db690941c1e9c98299d37e73cbb7bcc8783bf01b87ebcf66c423f6379d
Opcode Fuzzy Hash: 1883d9048ee7a87a059234e5c9f6348facd56a424e681cbfa858850c5c085e01
Instruction Fuzzy Hash: 00F0F4B24087249FE3016F64D8C1BFABBE4EB04351F16057DEAC187A40C63128808B97

Function 00D7CC50 Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 00D7CCB7

Memory Dump Source

Source File: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 15a1c6f8ed17d8f957008a0d982004fca017f8af99c89414a7d3cc84104466e5
Instruction ID: f35c9055c0066c08954fbb3c0fe366f624e89f8ba5fde5ff902e7b451d25f138
Opcode Fuzzy Hash: 15a1c6f8ed17d8f957008a0d982004fca017f8af99c89414a7d3cc84104466e5
Instruction Fuzzy Hash: B1E012611B83626DD5076FEC4A8677D7545AB26B34F30E01EF9CEAD082F39184505735

Function 00D7CC6B Relevance: 1.3, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 00D7CCB7

Memory Dump Source

Source File: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e67cf84cb5350bca0b4d0b0b341865111344383578d14ec8f16b8635a636f51a
Instruction ID: 0da8fd1dbc7af7f1756376484d051d063c2f9da9da0a67dc5cb666bbbc57b3ea
Opcode Fuzzy Hash: e67cf84cb5350bca0b4d0b0b341865111344383578d14ec8f16b8635a636f51a
Instruction Fuzzy Hash: D6E026310242766EC7076FB8C88526E7A45DF11320B38C02DECCE9A402E31184558730

Function 00D7CC5F Relevance: 1.3, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 00D7CCB7

Memory Dump Source

Source File: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d42d3dbea6ededb720feac0e2c260dd356d160968e22be83cd14d848806bc430
Instruction ID: 9f1c40258a94731306c754cdad8013eea66baf1e08506d30d49d7451b37e3e7b
Opcode Fuzzy Hash: d42d3dbea6ededb720feac0e2c260dd356d160968e22be83cd14d848806bc430
Instruction Fuzzy Hash: 07E0C2720642226ED6032FA8488577E7544DB21320F30D50EF8CE9A042F39084004731

Function 00D7CC28 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 00D7CCB7

Memory Dump Source

Source File: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8f515abe50442857b6ffed929a87f53f6a7ca8308dec9f01caa32906ca47e87b
Instruction ID: 50bb66f24ba256c5bc0dbe502b5730edb9acf3f2363677a4ad091b0cde7e0112
Opcode Fuzzy Hash: 8f515abe50442857b6ffed929a87f53f6a7ca8308dec9f01caa32906ca47e87b
Instruction Fuzzy Hash: 14E012A14782A61ECB075FE8991A22CBA509B76721F64F14FF98D45083F35144208F76

Function 00D7CC90 Relevance: 1.3, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 00D7CCB7

Memory Dump Source

Source File: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4cd27d07dc2ec6d5e4192bb38f7e81126253c93bd295d3d36f352a73fca9189d
Instruction ID: 6494c7fe202f81660811c5223f189827974f259d737cdba143e7e9f4cfefb228
Opcode Fuzzy Hash: 4cd27d07dc2ec6d5e4192bb38f7e81126253c93bd295d3d36f352a73fca9189d
Instruction Fuzzy Hash: A7D012614586965EC7265FBC4409159BB005B22710F14934EE89D89483E71240208F31

Non-executed Functions

Function 00E61DDB Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

E},, xrefs: 00E61F7C

Memory Dump Source

Source File: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID:
String ID: E},
API String ID: 0-221651890
Opcode ID: 37fda52394887c3319f484c33deb804e52ea8f424e4af04cc37d56b17c5e0d3a
Instruction ID: 6cfca7f6abcf21b0d18efbb22868d4d57d217ff71fb9c027a9896e56b744249d
Opcode Fuzzy Hash: 37fda52394887c3319f484c33deb804e52ea8f424e4af04cc37d56b17c5e0d3a
Instruction Fuzzy Hash: 5BC19FB36483049FD7105E2CEC84767B7E9EB84720F2A463DEE84D3740EA3A9C458755

Function 00DB26F6 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00DB273D

Memory Dump Source

Source File: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID: CryptSignatureVerify
String ID:
API String ID: 1015439381-0
Opcode ID: 2ee205f1f20c002ecfcd50c6777212d2cbd4c68c63b3f1d5ae32e87707497176
Instruction ID: 209c67237fb71714df6ba0d298a01a3f71b47ab4c305142ae2b43df06b62a756
Opcode Fuzzy Hash: 2ee205f1f20c002ecfcd50c6777212d2cbd4c68c63b3f1d5ae32e87707497176
Instruction Fuzzy Hash: 55F0F83260010AEFCF11CF94D944ADC7BB2FF49355B108129F91696211DB759A61EF54

Function 00D78876 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4c28ac22f23db64b008e0eb4b8b40051d2366febdfb996fb4f56c181459bf0
Instruction ID: 7af0feb88b2fc83e85a166a67ba28510fbd5f60e51f4957bc9cc8585787305b3
Opcode Fuzzy Hash: 4c4c28ac22f23db64b008e0eb4b8b40051d2366febdfb996fb4f56c181459bf0
Instruction Fuzzy Hash: 8A91DF7240D3C1AFD7039B2498646AABFB0FF96220F5A89DFD9C48B193D3245858D763

Function 00D52783 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b30c353fdc0742d627baaf5924b1888b7344403fad59be6d8ff16aa299b47e1
Instruction ID: e39c88bb5c554967d854140499dfaf10213b5874c624429f4fbae5f67c33a3d8
Opcode Fuzzy Hash: 2b30c353fdc0742d627baaf5924b1888b7344403fad59be6d8ff16aa299b47e1
Instruction Fuzzy Hash: 894165B250C304AFE311AF69D8816AAFBF8FF59310F06492ED6D483611D6329580CB97

Function 00DE7FF0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2215977320.0000000000DE5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.2215319142.0000000000BC0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215332673.0000000000BC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215347117.0000000000BC6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215360984.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215376025.0000000000BD4000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215389637.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215403142.0000000000BD6000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215495050.0000000000D39000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215510296.0000000000D3C000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215531491.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215544936.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215559128.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215587426.0000000000D5F000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215601108.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215613440.0000000000D63000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215626341.0000000000D65000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215642029.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215654129.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215667375.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215682450.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215695855.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215709788.0000000000D76000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215727032.0000000000D8D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215741349.0000000000D90000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215756413.0000000000D91000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215771491.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215785541.0000000000D9A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215799573.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215813103.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215827409.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215844889.0000000000DB2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215857922.0000000000DB4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215871196.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215884757.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215902112.0000000000DCA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215916794.0000000000DCF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215932537.0000000000DDA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215947547.0000000000DE2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215964064.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2215991623.0000000000DEC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216004691.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216018010.0000000000DEF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216032565.0000000000DF3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216047538.0000000000DFD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216061458.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216076418.0000000000E0B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216090791.0000000000E0D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216105965.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216122171.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216136774.0000000000E1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216152959.0000000000E1E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216169259.0000000000E29000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216183804.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216202063.0000000000E41000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216215392.0000000000E42000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216240824.0000000000E64000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216255910.0000000000E67000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E68000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216269133.0000000000E6E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216301766.0000000000E7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2216314952.0000000000E80000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee72b1e2a43dea36b68f3b47abd445e2d7d9ec27dba83aabd2753100fd755483
Instruction ID: 26fc85b6f79860ec5d69467a09109e5f00c27a5d419f0ca73f62cee6f8d239f2
Opcode Fuzzy Hash: ee72b1e2a43dea36b68f3b47abd445e2d7d9ec27dba83aabd2753100fd755483
Instruction Fuzzy Hash: 6D3130B291C714AFE3057F28D84567AFBE4EF18350F06092DEAC593650D635A8408B87

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: file.exePID: 6564, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 6564, Parent PID: 1028COMMON

Execution Graph

Graph

Executed Functions

Windows Analysis Report
file.exe

Function 00DB944E Relevance: 3.1, APIs: 2, Instructions: 107
memoryCOMMON

Function 00D5232F Relevance: 1.6, APIs: 1, Instructions: 112
libraryCOMMON

Function 00D614B7 Relevance: 4.6, APIs: 3, Instructions: 69
registryCOMMON

Function 00DB9E7A Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 00BCE5BD Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 53
memoryCOMMON

Function 00DB9BC7 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 05020D41 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 05020D48 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 05021509 Relevance: 1.6, APIs: 1, Instructions: 56
serviceCOMMON

Function 05021510 Relevance: 1.6, APIs: 1, Instructions: 54
serviceCOMMON

Function 00DB2972 Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Function 00DB275A Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 05021301 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON